Expert Advice Community

Guest

GDPR Data Retention

  Quote
Guest
Guest user Created:   Jan 29, 2021 Last commented:   Jan 29, 2021

GDPR Data Retention

Hello, I am from the US. I found a link which referred me to a website that specializes in modding videogames. Without looking or reading up much on the site I signed up as I assumed I would be able to delete my account. I quickly found that I did not want to keep this account there. I emailed the administrator of the site for clarification on the policy, and they stated that they were legally obligated to retain my account for 7 years, and they then banned me from the site. I had emailed about the possibility of deletion, though I did not request it before they banned me. I did further research on this site and they stated vaguely that the GDPR requires them to maintain my account for 10 years, but they state 7 in the terms of service. They also referenced US Tax Laws and the Swiss Data Protection Act, but they referred to the GDPR as the law they had to follow regarding retention of my account. I did a few hours of searching but could not come up with anything that stated they had to retain this, which would prevent me from acting upon my right to delete the account. I was wondering if there was something I missed in my research regarding the retention period.

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Jan 29, 2021

The GDPR does not require to maintain data for 10 years, the data minimization principle and the storage limitation principle (Article 5 GDPR) are some of the general principles regarding data processing, require that data are processed for the period necessary to reach the purpose of processing.

When subscribing and creating an account to a website, the purpose of processing is to provide you the service (access to your account) and the data retention period can be as long as the service is provided. The owner of the website can also keep personal data longer if you purchased some services or items on the website because tax laws require you to store invoices (which contains your personal data) for 10 years.

However, the data controller in the terms of service and the privacy notice should distinguish the data of users from the data of clients and allow the deletion of users' data if required by them.You can write to the website asking what is the legal basis under which they assume to keep your personal data, and highlight that since you did not purchase anything and you just created an account, you want that your personal data are canceled according to the right to be forgotten of GDPR, otherwise you will lodge a complaint to the Data Protection Authority of their country (you can send an email and attach your previous request and reply of the website). Ignoring the principle of data processing (art 5 GDPR) and the lawfulness of processing (art 6 GDPR ) and data subjects rights is one of the most serious GDPR infringements with fines up to 20 000 000 EUR (Art. 83 par. 5 GDPR). Maybe you can add this reference in your email to the website.

If you want to know more about data subjects rights, consent, and compliance to GDR here you can find more information:

If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://training.advisera.com/se/eu-gdpr-foundations-course//

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jan 29, 2021

Jan 29, 2021

Suggested Topics

Guest user Created:   Aug 25, 2020 EU GDPR
Replies: 1
0 0

GDPR Implementation Inquiry

Guest user Created:   Aug 05, 2020 EU GDPR
Replies: 1
0 0

GDPR queries