I'm well aware of what the GDPR actually says, thanks. I was the one quoting it.
My point is that what it actually says, unlike the definition of personal data you gave, clearly goes beyond just the identifying information.
Moreover, there was also clear intent, reflected in the provisions of the GDPR itself and in statements by officials involved in writing and interpreting it at EU level, for the safeguards on data portability and erasure to cover exactly the sort of data we are talking about with a service like Trello.
I'm not aware of any action so far that has actually tested this, but if a national regulator chose not to penalise flagrant non-compliance with both the letter and the spirit of the GDPR such as we see in this case in response to a genuine complaint, it simply wouldn't be doing its job, since it would essentially be unilaterally deciding that entire articles of the GDPR are pointless.
This certainly isn't beyond the bounds of possibility. Indeed, the vague nature of the GDPR in many respects and the reliance on subjective interpretation by all the different national regulators was one of the big criticisms that I and others made at the time it was introduced. But if that happened here and the regulators chose not to enforce in a situation like this, it really would turn the GDPR into a bit of a joke.
My point is that what it actually says, unlike the definition of personal data you gave, clearly goes beyond just the identifying information.
Moreover, there was also clear intent, reflected in the provisions of the GDPR itself and in statements by officials involved in writing and interpreting it at EU level, for the safeguards on data portability and erasure to cover exactly the sort of data we are talking about with a service like Trello.
I'm not aware of any action so far that has actually tested this, but if a national regulator chose not to penalise flagrant non-compliance with both the letter and the spirit of the GDPR such as we see in this case in response to a genuine complaint, it simply wouldn't be doing its job, since it would essentially be unilaterally deciding that entire articles of the GDPR are pointless.
This certainly isn't beyond the bounds of possibility. Indeed, the vague nature of the GDPR in many respects and the reliance on subjective interpretation by all the different national regulators was one of the big criticisms that I and others made at the time it was introduced. But if that happened here and the regulators chose not to enforce in a situation like this, it really would turn the GDPR into a bit of a joke.