"Personal data" is defined quite broadly in the GDPR:
Article 4 states
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
I just read a pretty interesting white paper (written by a compliance law firm) about data anonymisation and pseudonymisation with regards to GDPR. It provided a really neat ballpark of data that constitutes "user information" on two separate levels.
Direct identifiers include such material as: name, address, phone number, all kinds of national identifiers, biometrics, device identifiers and clinical trial record numbers.
Indirect (or "quasi-direct", a new word for me) include: gender, date of birth, postal codes or other geographic grouping identifiers, first language at home, marital status, ethnicity, ....
---
If you look at the two groups, there's a pretty clear distinction. Anything that would allow to send a highly personalised communication to a person is direct. Anything that allows to target marketing cohorts is indirect.
The indirect ones may not sound important on the surface, but once you start doing group intersections, their combinations can become extremely narrow pointers.
Article 4 states
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person