Hello!
To use the forum, login or register above.
(If you are already logged in above, please click here)
Powered by Vanilla
To use the forum, login or register above.
(If you are already logged in above, please click here)
Comments
I am familiar with GDPR in my capacity as an employee representative but that scenario hadn't crossed my mind.
I believe it can. A user has the right to have their data deleted which is know as, the "right to be forgotten." A service provider doesn't have the right to deny that by any means.
However, you are right that PROPERLY anonymised data is unlikely to fall foul of GDPR, but if there is any way to ID a user -even get close through a process of elimination and the acquirement of other inforamtion available elsewhere, then there is risk for the company holding/using that data.
It's simply not worth it.
There are many examples of how anonymous data can be used to indirectly identify some aspects of a person dependant on what credentials were used to create the account, such as a device identifier and location. Data used for financial gain is rarely completely anonymous. It would be of limited use if it was.
There is a cost to pseudonymise data and it may simply be easier, cheaper and risk free to delete all the data.
More detail:
The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.
IMO, Until there are real court cases and certain aspects of GDPR are tested through legal processes, it's best to err on the side of caution.