← Back to context

Comment by ceejayoz

7 months ago

The GDPR's scope is defined as:

"This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system."

A name or email in Kagi's database is very clearly subject to GDPR. A note on your desk may not be; not because the name isn't PII, but because not all PII is in a protected context.

You're incorrectly mixing up "it's not PII" with "it's not subject to GDPR". It's still PII even if you're not legally required to protect it in a specific scenario; I can, for example, tell random people about my wife's very unique medical conditions, but her hospital cannot.