Would stating this in a privacy policy help? Also if the data is just something like an anonymised ip, would deleting it still be illegal?

thanks Desiree! :)

Little Cooking Tips - Blog - Is that really important? To my understanding you are only required to tell if you have data about someone or not. So your answer to a user would be something like: "we have no data about you. Either we never had or you asked us to delete them"

Hi Aidan! I mean something different, perhaps wasn't clear as much as I should. If you remove any communication with a person, because this person requested it (email and such), then how can you be safe from legal action/liability from this person? He/she may make false claims and you wouldn't have proof that you answered - in writing - to these claims. Moreover, does one keep the request for the deletion, that itself contains personal information? If not, then how - again - can one prove that he deleted information at someone's request? I'm honestly quite baffled by some of the logic behind GDPR.

Oh I see. As I understand, your "data protection implementation", i.e. all the softwares you use to collect/process/delete data, must create audit logs to keep track of every action of end users and privileged/administrative users. So basically, whatever happens to personal data (even data breach detection) must be written to audit logs which serve as a proof.

Haha! But that might be a breach of your data privacy... touche bureaucrats! It's like Schrödinger's cat, but for data. The data both exists and does not exist, until someone looks for it... and finds it in your bin.

Best to shred any paper with phone numbers and addresses on, with a paper shredder

As GDPR is quite strict, but also logical when it comes to opt-in, then it is highly likely a GDPR compliant website is US/CA compliant.

our pleasure Toby!

No, you can send email related to the original interest. So if I registered on your website, you can send me email about registrations and my account. That's completely okay! :)

thank you very much :)

No you're fine, you could just exclude those people from all your cookies - but you'd still need to outline in your privacy policy what you're doing and what happens if someone from the EU sends you data (contacts you).

Hey Francesco, good question. If a legitimate interest exists - such as a registration - then sending an email without a consent 'tick box' is okay. In that case the data is being gathered out of necessity. Where it becomes an issue is if you then email that person anything that isn't related to the original registration action. So if you plan to 'market' to them after registration, then you must ask them if they're okay with that. You can do that on your form with a 'tick box' or in a following email that asks them to confirm the additional opt-in. Does that make sense? Backups are a big issue for all of us. It will mean disposing of older backups that contain 'deleted' users. We'd recommend a decay type policy whereby you as the data holder are given a grace period of say 30-days, to remove the user from backups. That means that if someone asks to be forgotten entirely, you have a little leeway on cleansing backup data, which is typically harder to get hold of and manage.

Now that is a good question and honestly, I'm not sure because that in itself seems like it could fall under GDPR... which is insane! How do you prove it if the person opted out and therefore left no footprint, other than an anonymous visit to your site (or similar)?

The cookie you store is not an 'online identifier'. if you are simply storing the preference of the user's consent (yes/no). There's no problem with setting cookies.

Now that's an interesting question. I actually don't know the legalities around that but you're right, you can't just delete invoices! Safe filing system is a must but that leaves the question of what if you stop working with that person, can they then request you destroy their data (old invoices)? That wouldn't make sense because of legal accounting requirements.

Invoices are part of the justified purposes which are outside the scope of GDPR: _“if data processing is needed for a contract, for example, for billing, a job application or a loan request; or if processing is required by a legal obligation …”_ However, GDPR applies right after the legal obligation ends. For example, if local laws require you to keep invoices for 12 years, you must delete them immediately after the 12 year period.

Thanks Aidan, that makes sense.

If you're unsure ASK the user to opt-in and be very CLEAR in your privacy policy: - how you collect data - why you need it / what you do with it - how you store it - how they remove themselves (contacting you is okay) - and how they can contact you (email address and/or person)

AdEvolver, thank you very much, you're a lifesaver! Much appreciated :)

We work hard on the lighting! :-D