[that_guy_iain]

> This is wrong on many of the early points so I didn’t finish it but: - on financial information, you must delete everything not required for regulatory purposes if requested by the user. - on logs, while there is a legitimate interest to be able to find logs related to a user to be able to help them in support cases you cannot keep that information indefinitely. And once a user requests deletion that need is no longer relevant.

I've had multiple legal teams tell me that once they pay for something you need to keep everything. It's required to be able to mount a legal defence incase they want to do chargebacks.

And on deleting logs, the law literally says archival reasons. But also, there is a technical feasibility exception too. The legitmate interest for knowing what went on in your system for logs doesn't isn't just for helping the user. Knowing why there was a traffic spike, what happened in the past, etc is important to know how properly handle your business, this is a legitmate need for a company. Again, lawyers told me this.

[mytailorisrich]

Indeed, there is a legitimate interest in keeping everything relevant to payments and execution of contracts for the time period that contract exists and for the time period a party can sue.

For instance, in the UK one can sue on a civil matter for up to 6 years after the issue arose (and I believe same period for taxman to come after you) so it is perfectly valid to retain data for 6 years even if the user asks you to delete them. That does not mean keeping all the data you may have, though, but certainly names, addresses, payment details, order and shipping details (if relevant), complaint/support correspondence, can and should be kept. Then it gets trickier because arguably you can be sued over anything so there has to be a reasonable judgment call.

[mimsee]

> I've had multiple legal teams tell me that once they pay for something you need to keep everything.

Pay for Google Drive, delete some old pictures, "error cannot delete pictures since you purchased more space".

[ulimn]

Are we sure they don't just soft delete them?

[that_guy_iain]

haha, yea everything isn't everything.

[raverbashing]

"keep everything related to the contract/payment etc" this is not hard

[closewith]

Whatever about relying on legal advice for your own retention policy, it seems unwise to make sweeping generalisations packaged as guidance on GDPR For Developers By Example.

For one thing, as with any legislation, simplifying it to a limited number of examples is guaranteed to lead to error by omission. I'm sure that you've noticed that when legal firms post guidance about the GDPR (and in private correspondence like you would have received in your own conversations with lawyers), they are never as definitive or absolute in their advice as this blog post is.

>And on deleting logs, the law literally says archival reasons.

Where in the Regulation are you referring to? Are you referring to archiving in the public interest?

> But also, there is a technical feasibility exception too.

There is no technical feasibility ("disproportionate effort"/"impossibility") exemption for the right to deletion. Whether a company can use such an argument as a successful defence has not yet been litigated.

> The legitmate interest for knowing what went on in your system for logs doesn't isn't just for helping the user. Knowing why there was a traffic spike, what happened in the past, etc is important to know how properly handle your business, this is a legitmate need for a company. Again, lawyers told me this.

To rely on the legitimate interest basis, you need to demonstrate that the processing is necessary to fulfil that interest and that it is balanced against the data subject’s interests, rights, and freedoms. It may be a valid basis, but it's certainly not definitive.

All in all, I feel that it may be better from all involved if you refrain from giving advice on the GDPR. I'm sure your lawyers will thank you.

[that_guy_iain]

I like this reply. Thanks for it.

> For one thing, as with any legislation, simplifying it to a limited number of examples is guaranteed to lead to error by omission. I'm sure that you've noticed that when legal firms post guidance about the GDPR (and in private correspondence like you would have received in your own conversations with lawyers), they are never as definitive or absolute in their advice as this blog post is.

You'll notice they never concrete advice on anything really. For the same reason no matter how strong your case is they'll always tell you that you might lose. Lawyers say lawyer things.

[Aerroon]

And yet whenever the negatives of GDPR comes up in discussions someone is there to always ensure everyone that "don't X, it's just that easy". It really really doesn't appear to be that easy.

[luckylion]

"Keep everything" is vague though. "Everything relevant to the transaction", certainly, as you've mentioned, that's already required by law. "Everything" as in "all user data including data they may have uploaded" will certainly not fly, even though it might help with defending against chargebacks.

Logs are a very difficult issue in my experience. If you really want to be compliant, your logs will not contain any PII and you'll have compliance people check the infrastructure to make sure there's nothing going in.

Granted, a normal developer will typically not care about this, and once they're working on large enough projects where it becomes a thing, they'll also have sat through hours upon hours of lawyers telling them what not to do.

[that_guy_iain]

> "Keep everything" is vague though. "Everything relevant to the transaction", certainly, as you've mentioned, that's already required by law. "Everything" as in "all user data including data they may have uploaded" will certainly not fly, even though it might help with defending against chargebacks.

The last part about helping with chargebacks is the legal exemption that is to be used not to delete the data. You're entitled not to delete data in order to provide a legal defence to future cases.

[luckylion]

Yeah, I'd be super careful with any advice from a lawyer that told you you can store _all_ data because of potential future litigation after your customer has ended the relationship and asked for deletion. I'm pretty sure it would explode in your face in a comically large way where you're not only going to lose the case, you're also going to be found to have been knowingly and willfully non-compliant.

"Judges hate this one weird trick" doesn't work, I'm afraid. Would love to hear which company follows that advise though :)

[rndgermandude]

It's not as easy as saying "there is an exemption", because courts ruled in many such cases and usually denied that argument, at least here in Germany and other EU jurisdictions I am aware of.

E.g. you cannot just keep medical records (unless you are e.g. a hospital and are required to safely keep that data) or dick pics either. Decisions about other less sensitive PII often haven't been made yet, but chances are the courts will not side with you but with the person whose PII is concerned.

What you can keep is enough information to identify the paid user in court (e.g. name and address data) and enough information to e.g. show you fulfilled your contract. E.g. if you're an email provider you probably can keep logs that show a paid user accessed your service and sent and received emails regularly, i.e. meta data about usage. What you cannot keep is e.g. the actual emails a user wrote or received or what contacts were in their address book.

Then, there are statues of limitations, e.g. in Germany usually 3 years for any debt disputes. Keeping data beyond that wouldn't be covered by exemptions, as the data would no longer be necessary to mount a defense.

[josefx]

Even if you are allowed to keep data I wouldn't be surprised if you have to move it out of the production system. If I remember my lessons on data protection right then you have to restrict access to people that need it and in the case of legal issues the data has no reason to remain on your production servers but might be better locked away on an archival server with access limited to your lawyers.

[makeitdouble]

> I've had multiple legal teams tell me that once they pay for something you need to keep everything. It's required to be able to mount a legal defence incase they want to do chargebacks.

Chargebacks are only actionable within a few months at most, so you could need to keep data during that period, but that would be short enough.

The GDPR requires for instance that you delete information from users that are inactive for a set of years (3 years ?). You wouldn't refuse to apply that on chargeback reasons for instance.