I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.
I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.