[mynameisvlad]

You cannot impose requirements like that as part of the deletion process.

It is 100% not the user’s responsibility to keep track of this information. That is explicitly a requirement of the provider and it is fully on them to ensure that a deletion request deletes all the personal data. If they didn’t tag it properly and can’t ensure that, then that is their problem to solve not yours.

Their value proposition is also not a single user’s data. It’s the entirety of the data set. One user’s data is nearly worthless, certainly not worth enough to have a human review it. Which was my point.

[cinntaile]

I take it you haven't seen how forums deal with GDPR notices? It's exactly how I described. The profile is anonymized/emptied and the posts stay.

[vonmoltke]

Just because a bunch of forums do it that way doesn't mean it's correct. When I was at Twitter the Compliance team determined that all user-generated content was Personal Data under the scope of GDPR. Those forums may be getting away with it right now, but they're playing with fire. If someone wanted to raise a stink with regulators they could be in trouble. I guarantee you if Reddit or a site of similar scope tried something like that someone would.

[cinntaile]

I know of two forums in two different EU countries that have also consulted with lawyers and determined that it was sufficient. I am inclined to give higher weight to your opinion simply because Twitter Compliance will have access to a larger team of lawyers, do you know if they were American lawyers or EU lawyers?