Is gender considered PII (Personally Identifiable Information) under the GDPR?
The definition of personal data as mentioned in the GDPR:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
As you state that you use the presence of the variable to target individuals, the gender definitely has an indirect reference to someone's identity and as such, is personal data. However, that doesn't mean that you have to stop processing the gender in the context you described.
From a risk perspective (which is what the GDPR is all about), I don't see an issue if you only share the gender - which is actually pseudonymised since you don't supply any other direct identification data along with it.
However, you do have other obligations w.r.t. the transparency principle, incorporating the processing activity into your processing register, determining legal ground for processing (and acting accordingly), determining processor-controller relationship with your third party and including the necessary clauses in the the contract, etc. To determine all this, much more information is required than you have supplied in your question and I highly encourage to seek (legal) professional advice to support you in this matter.
TLDR: Possible
From https://www.seobyrvc.com/what-is-personally-identifiable-information-pii/:
The following are examples of “potentially personally-identifiable information”. That is, the data elements by themselves cannot be linked to a specific person but when combined with other information (such as items 1 through 11, above), they can be.
- A persistent identifier such as a generic customer/user value held in a “cookie”
- IP (Internet Protocol) address or host name
- Date of birth, age
- Racial or ethnic background
- Religious affiliation
- Gender
- Height, weight
- Marital status
- Employment information
- Medical information
- Financial information
- Credit information
- Student information
Depending on a site visitor’s browser settings, cookies (item 12), which are small text files, are stored on the visitor’s local drive and transmitted between their browser and the servers hosting the sites visited.
The point here is, as standalone information, these data elements are not PII. They have the potential to be PII. They become PII when they are combined with other more specific data which, in total, identifies a specific person.
For example, a full blown credit report without a link to a specific individual is not PII. It’s simply anonymous credit information. However, even though a credit report might not have a person’s first and last name, if it includes enough information to identify to a particular person (i.e. date of birth + gender + ethnicity + zip code + IP address), it fits the definition of PII.