Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
1. Hello, I have contacted a company that manages a messaging app I used in the past to request information about exercising my right to erasure (Article 17(1) GDPR), since they say they're GDPR compliant. In particular, my question to them was about having my messages/posts (private and public) deleted when they close my account. They say they would refuse to delete these messages, since they argue that would interfere with other users' right to free expression and information (Article 17(3)(a)), as there would be gaps in the conversations potentially leading to misinterpretations or the lack of important context.
My questions to you are:
Are the messages and posts I sent through the app considered personal data under GDPR to the extent that the app would have to delete them under request?
The right to be forgotten or the right to erasure is not an absolute right, it depends on the data controller’s retention schedule which must be based on one of the six legal grounds for processing personal data (storage is a data processing operation).
Related to your question, yes, messages and posts that you submitted through the app are considered to be personal data.
You can find more details at this link:
- Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
2. Is the exception in Article 17(3)(a) a valid ground for refusing this request in this case?
In my opinion, Art 17 (3) (a), that specifies that right to be forgotten does not apply when exercising freedom of expression is not a valid ground for refusing your request in this case, is not a valid ground for refusing your request in this case. This article should be invoked only when the processing of personal data is done solely for journalistic purposes, or for the purposes of academic, artistic, or literary expression. The data controller could take technical and organizational measures to fulfill your request, such as anonymizing your identifiers – name, surname, username, nickname, etc. For example, they could change your username to something like anonymous_user and modify all your posts/comments and answers to your posts/comments. If they cannot do this, it would mean that the data controller is in breach of Art 25 GDPR, Data protection by design and by default, which states that “the controller shall, […], implement appropriate technical and organizational measures, […], in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
You can find more details at these links:
- Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/
- EU GDPR Article 25 – Data protection by design and by default https://advisera.com/eugdpracademy/gdpr/data-protection-by-design-and-by-default/
- EU GDPR Article 17 –Right to erasure (‘right to be forgotten’) https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
To learn more about the right to be forgotten, see this free online training: GDPR Foundations Course https://advisera.com/training/eu-gdpr-foundations-course/
Comment as guest or Sign in
Dec 10, 2021