| ▲ | computomatic 4 hours ago | ||||||||||||||||||||||||||||
Is there evidence that European courts have sided with that? “We’re holding onto all your data indefinitely just in case you log in again several years from now” seems to be the antithesis of GDPR and I can’t discern the difference between that and what you’re suggesting. I believe EU has dug their own hole here. And the best move would be to pass more legislation to explicitly require the retention (and transfer, ideally) of purchased digital goods. | |||||||||||||||||||||||||||||
| ▲ | buran77 3 hours ago | parent | next [-] | ||||||||||||||||||||||||||||
> Is there evidence that European courts have sided with that? Is there evidence of the contrary? Maybe any store can just delete your personal data right after charging your card and claim GDPR prevents them from shipping your product. Silly arguments work both ways. You just picked the one that confirms your bias. GDPR under no circumstances forces processors to delete everything, it defines legitimate interest. Retaining a person's purchases is as legitimate as it gets so the data can be retained for as long as the purchase is valid. And the license itself isn't even the user's personal data, it's just a license, so Sony could give the option to export that license to be used later - even in a cryptographically secure format that can only work if e.g. the account is created with the same email address. If they delete the personal data and throw out the baby with the water, it's not GDPR forcing them to do it. | |||||||||||||||||||||||||||||
| ▲ | cccbbbaaa 3 hours ago | parent | prev | next [-] | ||||||||||||||||||||||||||||
No need to wait for the courts’ opinions: controllers must keep the data for a limited amount of time (which can be something like “3 years after the last connection”) under GDPR article 5(1)e. | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||
| ▲ | BiteCode_dev 3 hours ago | parent | prev [-] | ||||||||||||||||||||||||||||
The GDPR does not say that controllers must always delete personal data on request. Article 17(1)(a) — erasure is required only when: "the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed" https://gdpr-info.eu/art-17-gdpr It's like the cookie banner all over again. This law never, ever required a cookie banner. The big companies are master in malicious compliance that benefit them, and let them blame the EU for it. Rules of thumbs, international billion dollars company should be assumed to be the ones being the bad guys until proven otherwise. They have lost the benefit of the doubt decades ago. | |||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||