[luckylion]

"Keep everything" is vague though. "Everything relevant to the transaction", certainly, as you've mentioned, that's already required by law. "Everything" as in "all user data including data they may have uploaded" will certainly not fly, even though it might help with defending against chargebacks.

Logs are a very difficult issue in my experience. If you really want to be compliant, your logs will not contain any PII and you'll have compliance people check the infrastructure to make sure there's nothing going in.

Granted, a normal developer will typically not care about this, and once they're working on large enough projects where it becomes a thing, they'll also have sat through hours upon hours of lawyers telling them what not to do.

[that_guy_iain]

> "Keep everything" is vague though. "Everything relevant to the transaction", certainly, as you've mentioned, that's already required by law. "Everything" as in "all user data including data they may have uploaded" will certainly not fly, even though it might help with defending against chargebacks.

The last part about helping with chargebacks is the legal exemption that is to be used not to delete the data. You're entitled not to delete data in order to provide a legal defence to future cases.

[luckylion]

Yeah, I'd be super careful with any advice from a lawyer that told you you can store _all_ data because of potential future litigation after your customer has ended the relationship and asked for deletion. I'm pretty sure it would explode in your face in a comically large way where you're not only going to lose the case, you're also going to be found to have been knowingly and willfully non-compliant.

"Judges hate this one weird trick" doesn't work, I'm afraid. Would love to hear which company follows that advise though :)

[rndgermandude]

It's not as easy as saying "there is an exemption", because courts ruled in many such cases and usually denied that argument, at least here in Germany and other EU jurisdictions I am aware of.

E.g. you cannot just keep medical records (unless you are e.g. a hospital and are required to safely keep that data) or dick pics either. Decisions about other less sensitive PII often haven't been made yet, but chances are the courts will not side with you but with the person whose PII is concerned.

What you can keep is enough information to identify the paid user in court (e.g. name and address data) and enough information to e.g. show you fulfilled your contract. E.g. if you're an email provider you probably can keep logs that show a paid user accessed your service and sent and received emails regularly, i.e. meta data about usage. What you cannot keep is e.g. the actual emails a user wrote or received or what contacts were in their address book.

Then, there are statues of limitations, e.g. in Germany usually 3 years for any debt disputes. Keeping data beyond that wouldn't be covered by exemptions, as the data would no longer be necessary to mount a defense.

[josefx]

Even if you are allowed to keep data I wouldn't be surprised if you have to move it out of the production system. If I remember my lessons on data protection right then you have to restrict access to people that need it and in the case of legal issues the data has no reason to remain on your production servers but might be better locked away on an archival server with access limited to your lawyers.