[teraflop]

Contrary to popular understanding, the GDPR does not allow you to force a company to delete all data about you.

In effect, it lets you revoke your consent for the company to store and process your data. But it also provides for cases where your data can be processed without your consent. It's not an unlimited carte blanche, but fraud prevention is explicitly given as an example of a legitimate purpose.

[cj]

This is correct.

Businesses are allowed to retain information necessary to operate. Which would include things like names, email addresses, IP addresses, etc of people who are banned (to prevent them from returning).

If GDPR required a company to delete everything, it would be impractical. (E.g. imagine you request a company delete your info, and then you immediately sue them for something that happened while using their product/service… the company wouldn’t be able to defend themselves unless they retained a record/logs of your usage.

You can submit a deletion request, but in most cases much of your data won’t actually be deleted.

[varsketiz]

> Which would include things like names, email addresses, IP addresses, etc of people who are banned (to prevent them from returning).

I'm not sure about that. The company might reason it needs this data to operate, but you should be able to contest that with a data protection authority.

The data that you can not request to delete is for example money transaction data, which the company has to retain for 10 years or so due to other laws.

[cj]

Curious - has anyone here submitted a complaint to a data authority? I wonder what that process is like.

[varsketiz]

I have. It was about a company that kept spamming me with SMSes. I had to file an archaic form for a government agency. It took a while, I received a few emails about progress and asking for additional details.

The spam stopped.