Hello, I am from the US. I found a link which referred me to a website that specializes in modding videogames. Without looking or reading up much on the site I signed up as I assumed I would be able to delete my account. I quickly found that I did not want to keep this account there. I emailed the administrator of the site for clarification on the policy, and they stated that they were legally obligated to retain my account for 7 years, and they then banned me from the site. I had emailed about the possibility of deletion, though I did not request it before they banned me. I did further research on this site and they stated vaguely that the GDPR requires them to maintain my account for 10 years, but they state 7 in the terms of service. They also referenced US Tax Laws and the Swiss Data Protection Act, but they referred to the GDPR as the law they had to follow regarding retention of my account. I did a few hours of searching but could not come up with anything that stated they had to retain this, which would prevent me from acting upon my right to delete the account. I was wondering if there was something I missed in my research regarding the retention period.
Assign topic to the user
The GDPR does not require to maintain data for 10 years, the data minimization principle and the storage limitation principle (Article 5 GDPR) are some of the general principles regarding data processing, require that data are processed for the period necessary to reach the purpose of processing.
When subscribing and creating an account to a website, the purpose of processing is to provide you the service (access to your account) and the data retention period can be as long as the service is provided. The owner of the website can also keep personal data longer if you purchased some services or items on the website because tax laws require you to store invoices (which contains your personal data) for 10 years.
However, the data controller in the terms of service and the privacy notice should distinguish the data of users from the data of clients and allow the deletion of users' data if required by them.You can write to the website asking what is the legal basis under which they assume to keep your personal data, and highlight that since you did not purchase anything and you just created an account, you want that your personal data are canceled according to the right to be forgotten of GDPR, otherwise you will lodge a complaint to the Data Protection Authority of their country (you can send an email and attach your previous request and reply of the website). Ignoring the principle of data processing (art 5 GDPR) and the lawfulness of processing (art 6 GDPR ) and data subjects rights is one of the most serious GDPR infringements with fines up to 20 000 000 EUR (Art. 83 par. 5 GDPR). Maybe you can add this reference in your email to the website.
If you want to know more about data subjects rights, consent, and compliance to GDR here you can find more information:
- Data subject rights according to GDPR https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr//
- Is consent needed? Six legal bases to process data according to GDPR https://advisera.com/eugdpracademy/knowledgebase/is-consent-needed-six-legal-bases-to-process-data-according-to-gdpr/
- Email marketing in the era of GDPR – How to ensure compliance? https://advisera.com/eugdpracademy/blog/2019/05/27/gdpr-and-email-marketing-rules-for-compliant-campaigns/
If you need to understand how to data subject rights need to be managed under GDPR, you can consider enrolling in our free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//
Comment as guest or Sign in
Jan 29, 2021