| ▲ | cccbbbaaa 4 hours ago | |||||||
No need to wait for the courts’ opinions: controllers must keep the data for a limited amount of time (which can be something like “3 years after the last connection”) under GDPR article 5(1)e. | ||||||||
| ▲ | crote 3 hours ago | parent | next [-] | |||||||
To save everyone a click: > Personal data shall be: kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. (..) Note that this does not say "it must be stored for a limited amount of time" - it says "no longer than necessary". Your basic account data (such as username and password, or an email for password recovery) is still necessary to log in to the platform and make use of your purchases. As long as there is no clear indication that the user will never log in again (such as due to death, or because they explicitly deleted their account), it would be reasonable to keep it around. On the other hand, it may make sense to delete some data. For example, it may make sense to store your full name and address info to make checkout more convenient. If a user hasn't bought stuff in a while, it makes sense to delete it and have them re-enter it in the future. There might be a bit of a gray space for things like game achievements (especially when there's a public profile) or savefile backups, but reading it as "you MUST delete all digital purchases because GDPR" is just not true. | ||||||||
| ||||||||
| ▲ | computomatic 3 hours ago | parent | prev | next [-] | |||||||
5(1)c seems far more relevant than e. “Data minimization” is what’s relevant here. And the article is sufficiently vague that the onus is on companies to decide what is absolutely minimal - that includes, implicitly, removing inactive accounts. Unless the courts have made a judgement to the contrary. | ||||||||
| ▲ | wat10000 an hour ago | parent | prev [-] | |||||||
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" Keeping "account X purchased game Y" forever is necessary for the purpose of tracking ownership. Based on how big companies typically behave, I assume that they are storing a metric buttload of other data on their users, which is not necessary for that purpose, and which they aren't inclined to separate out. This is just like the cookie popup nonsense. You don't have to ask for permission to store necessary cookies. Cookie popups are ubiquitous because sites would rather bother every single visitor so that they can store unnecessary cookies. | ||||||||