1

For example, can you reference a customer by their domain in an email?

Each customer in a system can be associated with a domain, and some domains are associated with a single customer.

schroeder
  • 123,438
  • 55
  • 284
  • 319
G SB
  • 13
  • 2
  • PII isn't defined in the same way in every context, so the answer depends on your goal and your jurisdiction. See wikipedia: https://en.wikipedia.org/wiki/Personal_data . – reed Oct 01 '20 at 21:16

3 Answers3

2

The answer, as with all things "data protection" is, "it depends".

It's PII if it can be used to identify a natural person. That's your test.

If enough people share that domain already in your system that it would not be feasible to identify a natural person with it, then it is (probably) not PII.

If you can identify someone with it, then it (probably) is. So, a single domain with a single user would end up being deemed PII.

This gets more certain if the domain is their name. For instance, if I ran my own email server and used schroeder@schroeder.com (and no, I don't), that would be PII. This is not that common anymore, but it was.

schroeder
  • 123,438
  • 55
  • 284
  • 319
1

Schroeder awnsered this better.

But basically a domain is only considered PII if it’s possible to derive a person from it. Thereby making it a PII.

Doing this is a really bad idea since the DNS system requires that anyone can cache the data by design. This means anyone can make copies of the data.

In regards to mail servers. It’s actually really rare that a mail server domain refers to a person, it usually refers to a company. Also is the email address itself allready PII, so considering just the domain part of it is kinda redundant.

LvB
  • 8,217
  • 1
  • 26
  • 43
-2

Your question is not a technical question, it's a legal question which depends on the specific legal framework such as GDPR.

If the domain is xxxx@mikejohnson.com then it can be considered PII. If the domain is xxxx@mycustomer1.com then it's not, although a good lawyer can find the way to link it someone and then it becomes PII.

Far_n_Y
  • 1
  • No, I don't think that's the point. If mycustomer1.com is used by a single individual, this certainly traces back to the owner. But you can't know it in advance how many people will use a single domain. Ie. if it's a vanity personal domain or even a small business – usr-local-ΕΨΗΕΛΩΝ Oct 01 '20 at 21:44
  • Yes, I agree with you. However, this is a legal question similar to considering an IP Address to be PII. – Far_n_Y Oct 01 '20 at 23:02