Comment by arghwhat
7 months ago
Vlad's interpretation of GDPR is both horribly wrong and very concerning.
Personally Identifiable Information includes anything that can be used to uncover a person's identity. An email address is PII, as it can be used to identify which person their data relates to - and they do have data, at the very least a user account and settings but likely also logs.
Full names, phone numbers or IP addresses are also PII - if you have a server log with source addresses, that's PII under both GDPR and CCPA. Why you have it, and whether I can take steps to hide my identity is no excuse - you need to follow the legal process for PII under GDPR and CCPA, need have data controllers in place and ways for any individual (registered or not!) to make the appropriate data requests and removal requests as applicable.
IANAL, but even UUIDs and hashes of user names can fall under the EU, when there is a future possibility of linking it to a user (e.g. through behavior). See e.g. https://law.stackexchange.com/questions/86570/in-gdpr-terms-...
To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
https://gdpr-info.eu/recitals/no-26/
An e-mail by itself is not PII, it has to be connected to other personal data. When companies use Stripe for payments, those other personal data are cared for by Stripe.
There are people who argue that just the name of a person is PII and they are wrong.
> There are people who argue that just the name of a person is PII and they are wrong.
It's very easy for a name to be PII. I'm quite certain mine is unique, due to hyphenating when I got married.
There is no test under GDPR for personal data that can identify an individual to have to identify a single unique individual to be in scope of the legislation, just that the personal data can be used to identify _an_ individual. Two people living at the same address with the same name sharing the same telephone doesn't suddenly make all that personal data fall out of scope.
Whilst the response from OP is so obviously wrong and confusing that it's likely to be a troll and not worth engaging with, it's worth clarifying to anyone reading this thread that email addresses most certainly do qualify as personal data under GDPR. GDPR very clearly states what personal data is (see https://gdpr.eu/eu-gdpr-personal-data/ and https://gdpr-info.eu/issues/personal-data/) and that storing or processing of this data necessitates the need to comply with the requirements of the GDPR (particularly the rights detailed under https://gdpr-info.eu/chapter-3/).
For the purposes of this conversation, an email address is personal data, operating in the EU (and additionally, by way of carried-over legislation, the UK) means complying with the GDPR, and therefore Kagi need to provide mechanisms by which people covered by the legislation can enforce the rights afforded them within it.
(GDPR also doesn't use the term "PII", merely just "personal data" and goes on to detail what this means in terms of identification, which might add to the confusion in OPs original message).
Your name by itself and not connected to anything else, is not PII. But there are many people who argue that.
1 reply →
> There are people who argue that just the name of a person is PII and they are wrong.
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, [...]
https://gdpr.eu/article-4-definitions/
A name is PII, as stated by the definitions in the GDPR.
You're misunderstanding. The name by itself is not personal data, but data connected to a name is.
5 replies →
This is wrong on all points. GDPR quotes that directly contradict this below.
Quoting GDPR Article 4, point 1 (https://gdpr.eu/article-4-definitions/):
> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
And Recital 30 (https://gdpr.eu/recital-30-online-identifiers-for-profiling-...), which gives some more examples of identifiable information such as IP addresses:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
There is also the quote from the Danish Datatilsyn (https://www.datatilsynet.dk/english/fundamental-concepts-/wh...) also makes some more examples and explicitly highlight that is is PII even when it must first be combined with other data:
> Personal data may, for example, include information on name, address, e-mail address, personal identification number, registration number, photo, fingerprints, diagnostics, biological material, when it is possible to identify a person from the data or in combination with other data. It is said that the information is “personally identifiable”.
---
An email address is obvious PII because it is a globally unique identifier representing a way of contacting a specific person. You can find the name of the owner separately and correlate it with your stored data, thus identifying the person.
Even if you store nothing else, the email reveals that you have an association with the user, but you most likely also have data that ties activity to the email such as the user logging in and using your service in any way or form.
> There are people who argue that just the name of a person is PII and they are wrong.
A person's name is the most obvious case of personally identifiable information.