E-mail counts as user identifying information per the GDPR, so clearly they have kept user identifying information so the GDPR applies.
Even an IP address is user identifying information per the GDPR, which is why if for example a website wants to be compliant without obtaining explicit user authorization, it needs to do things like not maintain logs with IP addresses for longer than it would be necessary to track down problems with the website or intrusion attempts.
Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.
E-mail counts as user identifying information per the GDPR, so clearly they have kept user identifying information so the GDPR applies.
Even an IP address is user identifying information per the GDPR, which is why if for example a website wants to be compliant without obtaining explicit user authorization, it needs to do things like not maintain logs with IP addresses for longer than it would be necessary to track down problems with the website or intrusion attempts.
Right, so e-mail address together with IP address would then make the e-mail that of an identifiable user under Art.4(1). So the OP needs to find out if an IP address was logged and retained in connection with the email address.