Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.
I think the whole discussion is moot when the data is “anonymous”.
But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.
That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?
According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)
The EC also says “an email address such as info@company.com” is not an example of personal data.
This should really be covered by an EDPB Guideline, but I’m not finding one.
I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.
Ding ding ding we have a winner. Unless you’ve done an official “right of erasure” request they’re perfectly entitled to keep your data, account deletion and all.
Is a right of erasure possible at this stage?
I assume they still store the context of a deleted post somewhere and that the AI would still access it.
With cloud or tape backups, it’s nearly impossible to fully delete all data.
By design, you would want to protect it from accidental or intentional deletion.
I don’t know how any company can fully comply with GDPR to be honest.
I think the whole discussion is moot when the data is “anonymous”.
But suppose they had the OP’s name on file linked to the acct thus making the GDPR applicatable. There would still be a violation under GDPR Art.5 (minimization) and Art.25 (protection by design). But it is probably quite difficult to make a minimization case; lawyers have to work hard. Much stronger and effective to make an Art.17 claim, which indeed requires making the request.
An e-mail is “user identifying information” per GDPR.
So it’s not considered anonymous.
That phrase (“user identifying information”) does not appear in the GDPR text that I have. Do you have a page or section reference?
According to the Commission, “an email address such as name.surname@company.com;” is an example of “personal data” [presumably from Art.4(1)]. But it’s interesting to note that that example obviously ties the address to an identifiable person. Is that the OP’s case? (I can’t see their Cloudflare-jailed screen shot)
The EC also says “an email address such as info@company.com” is not an example of personal data.
This should really be covered by an EDPB Guideline, but I’m not finding one.
Yeah, you are correct and the wording is inded “personal data”.
I vaguelly remember it was treated the same as a phone number.
It’s been years since I had to look into the GDPR.
I’m trying to get to the bottom of this because a chunk of my data & activity is tied to nothing but my email address which always deliberately excludes personal identifiers and I do everything over Tor.
GDPR recital 26 seems the most relevant. It’s complicated but note that the GDPR clearly does not apply to legal persons (aka moral persons aka companies). So a data controller must at a minimum have a way of knowing the account belongs to a natural person. Which IMO requires being linked to other data like IP address. Though even that is a fuzzy because IP databases on whether an IP address is residential boils down to guesswork.
Tempting to read wp136 which predates the GDPR but seems quite relevant. It’s possibly the most exact answer unless there is a closely related CJEU ruling.