They're saying they will only anonymize the account, not delete the information:David Brian said:To be fair, Oily, as they themselves stated, they have 30 days to comply to requests. Nothing much can happen before then.
David Brian said:Actually, no.
I've been lurking throughout this thread, my thoughts leaning toward those copyright protections set down by Shane. I was interested to see how long it would take someone from your end to step-up, and hopefully dispel some worries.
I have to say your opening lines were a doozy... and not in a good way.
Anyhow, perhaps your company has a representative who actually understands the implications of GDPR, because it seems you do not.
Firstly, with regards your sneaked in TOS: Consent under GDPR must be active, requiring affirmative action by the data subject, rather than the passive acceptance under some current models that allow for pre-ticked boxes or opt-outs.
Controllers (that's you) must keep a record of how and when an individual gave their consent, and that individual may withdraw their consent whenever they want. Your current model for obtaining consent must be in place for when the GDPR applies in 2018.
Secondly, any citizen can withdraw consent whenever they like. They might do so because they object to how an organisation is processing their information, or simply because they don't want it collected anymore. In this instance all data will be removed.
The controller (again, that's you) is responsible for telling other organisations (for instance, Facebook, Google, PhishingScams.com, etc) to delete all and any links to copies of that data, as well as the copies themselves.
Thirdly, it may be worth mentioning for those covered by GDPR, if you wish to transfer any of the data you have posted here, and use it elsewhere; the controllers (Vertical Scope) are required to assist you - and to assist you swiftly: the legislation means citizens can expect to have a request honored within four weeks. Controllers must ensure the requested data is in an open, common format such as CSV, meaning that when it moves to another provider it can still be read.
Helena, I hope this helps to clarify your obligations under GDPR. It is a worldwide regulation, affecting all companies holding data on EU residents/citizens.