[wiz21c]

It's not that simple. For example in my business, we may give some money to help someone "once in its life" (the law says so). Therefore, if the persons asks to be deleted, then we might not apply the law anymore because it'll mean we won't remember the decision... I think GDPR is a good thing, but at some point, in my business, those who write the laws will have to be aware of it (and the legal teams is miles away from the IT stuff, sadly).

[tscs37]

The GDPR offers exceptions to the right to erasure, this mostly includes legal compliance (banks) or in the interest of legal claims or when data cannot be easily deleted as individual record. It also does not affect any non-digital documents which aren't filed. This is all laid out very thoroughly in the legal documents relating to this.

[wiz21c]

I must recognize I didn't read the section about removal thoroughly. But I did read the articles about the "categories of data" which are the major pain point right now 'cos it forces you to, well, find appropriate categories of data. It's a very interesting thing to do but, in my organization, it leads to many loooong discussions :-)

[mclarke]

GDPR has an exemption related to the legal requirement to process data that might cover this (and related) scenarios.

> ...(unless) processing is necessary for compliance with a legal obligation to which the controller is subject;

[erpellan]

Does this mean that someone can game 1-time special offers by repeatedly signing up and then demanding to be forgotten?

There's probably no legal obligation to enforce once-only cashback sign-up offers, so the right to be forgotten would presumably have to be followed.

[closeparen]

There is an exception category for “legitimate business interest” so we’ll probably have to wait and see what the courts have to say.