[endisneigh]

What you're saying is literally illogical in the case of IAB acting as an intermediary... Not sure you know what you're talking about in this case. The entire point of the original article is that the user's data is being fed through via IAB to tracking companies. This isn't a normal GDPR situation where the user's data directly is being stored in a way that's accessible to the user as well. Obviously in that scenario the user themselves could just request their data be deleted as that's what GDPR allows. IAB in this case has been acting as an intermediary, allowing tracking companies to collect metadata on users through them. Even if IAB deletes their data, the question is how will the Council know if the end-tracking companies deleted their data?

[Jensson]

If you keep data about a person in the EU that data is protected by GDPR regardless where or how you got it, having an intermediary doesn't matter.

> how will the Council know if the end-tracking companies deleted their data?

That doesn't matter, all they need is to ask the companies and the companies to say that they deleted the data. That is how everything else works with GDPR. When you ask a company to delete your data you don't know the company deleted it, they could still store it but keep it hidden etc. The government asking this is exactly the same.

If it later comes up that companies has a lot of data about users that they can't explain how they got, or that traces back to this case where they said they deleted it, then those companies will get huge fines. Open violations of laws where there is no question that the company knew they were breaking it are a very different case from companies toeing the line, the fines would get much higher.

[endisneigh]

yeah you're not understanding what I'm saying. cheers.

[tremon]

This isn't a normal GDPR situation where the user's data directly is being stored in a way that's accessible to the user as well.

It's you that fails to understand the GDPR: that situation is not possible. In this case, the IAB is acting as the data controller for this data. As per GDPR requirements, when they share this data (for whatever purpose) with third-party processors, they must ensure through their contracts that the processor can comply with data deletion requests coming from users through the IAB.

If they cannot comply with that, both the controller and the processor are in violation of the GDPR, the controller doubly so because the GDPR requires them to audit their chosen data processors for GDPR compliance.

[stale2002]

> how will the Council know if the end-tracking companies deleted their data?

There could be a tipoff, for example, from an employee. And if that whistleblower is right, then the company will suffer huge fines.

Or any other numerous ways that someone might be caught for a crime.. it lets go with whistleblower, as that is easy to understand.