Comment by arghwhat

This is wrong on all points. GDPR quotes that directly contradict this below.

Quoting GDPR Article 4, point 1 (https://gdpr.eu/article-4-definitions/):

> ‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

And Recital 30 (https://gdpr.eu/recital-30-online-identifiers-for-profiling-...), which gives some more examples of identifiable information such as IP addresses:

> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

There is also the quote from the Danish Datatilsyn (https://www.datatilsynet.dk/english/fundamental-concepts-/wh...) also makes some more examples and explicitly highlight that is is PII even when it must first be combined with other data:

> Personal data may, for example, include information on name, address, e-mail address, personal identification number, registration number, photo, fingerprints, diagnostics, biological material, when it is possible to identify a person from the data or in combination with other data. It is said that the information is “personally identifiable”.

---

An email address is obvious PII because it is a globally unique identifier representing a way of contacting a specific person. You can find the name of the owner separately and correlate it with your stored data, thus identifying the person.

Even if you store nothing else, the email reveals that you have an association with the user, but you most likely also have data that ties activity to the email such as the user logging in and using your service in any way or form.

> There are people who argue that just the name of a person is PII and they are wrong.

A person's name is the most obvious case of personally identifiable information.