| I don't know either, and this is not legal advice. The regulations[0] are actually pretty clearly written, and not actually that long. Make yourself a good coffee, and read them in a few sittings, thinking about your specific context, and taking notes. My understanding, based on my reading and your comment, is as follows: * You are retaining personal information - this requires consent. * If you do something with the information you have, it requires consent. * If you don't do anything with the information, and you are not legally obliged to retain it, you should delete it. * When an individual asks, you must be able to tell them everything you hold on them, and where you got consent. * When an individual asks you to delete their data, you must be able to do it within a short time-span (unless legally obliged to retain it). * Consent can be implicit - for example if someone signs up for a service. * You absolutely need a statement saying what information you hold, and what you do with it. * If you can't say when, where, and how someone gave consent, you should seek to obtain explicit consent with an "opt-in" email. Some of the above will probably be wrong, but I don't think anything is very wrong. [0] https://gdpr-info.eu/ |