From that document and other reading, I think it's also when combination of information results in being able to identify a person. For example, dynamic IP address + timestamp is not enough for anybody but the ISP. But add in other information, for example HTTP headers, it might be unique enough.
Also, what they're saying is some things trump privacy. Legal requirements to keep logs. Legitimate interest, e.g. billing. Defending against cyber attacks. Using that information for other purposes is still a no-no.
TL;DR: IP address + other info often becomes PII, and there are some exceptional cases where it's legitimate to store PII despite privacy concerns.
Also, what they're saying is some things trump privacy. Legal requirements to keep logs. Legitimate interest, e.g. billing. Defending against cyber attacks. Using that information for other purposes is still a no-no.
TL;DR: IP address + other info often becomes PII, and there are some exceptional cases where it's legitimate to store PII despite privacy concerns.