"just PII" was a bit too strong, but this is how GDPR defines personal data, which is what it regulates:
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Identifiable is core to this definition. It's important to note that it's taken so far that it's enough if others can establish the link, which is why things like IP addresses or photos fall under it, even if I as a website operator can't just go ask ISPs for the user behind an IP.
> with on demand wipeout.
I keep coming back to that: GDPR only has something I'd call "on-demand wipeout" if your only base of processing is "I've asked the user for consent", because they can revoke said consent (or if you kept data without justification of course). If you need the data to fulfill a contract, you can store it as long as that's still true. If you're legally obligated to keep records, the person can't just request you delete it. If you can argue a strong overriding interest to keep some data, you can keep it - although that one is of course open to interpretation when your interest is actually weighing higher than the persons interest (an example might be fraud prevention records)
> ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Identifiable is core to this definition. It's important to note that it's taken so far that it's enough if others can establish the link, which is why things like IP addresses or photos fall under it, even if I as a website operator can't just go ask ISPs for the user behind an IP.
> with on demand wipeout.
I keep coming back to that: GDPR only has something I'd call "on-demand wipeout" if your only base of processing is "I've asked the user for consent", because they can revoke said consent (or if you kept data without justification of course). If you need the data to fulfill a contract, you can store it as long as that's still true. If you're legally obligated to keep records, the person can't just request you delete it. If you can argue a strong overriding interest to keep some data, you can keep it - although that one is of course open to interpretation when your interest is actually weighing higher than the persons interest (an example might be fraud prevention records)