0

As the title suggests, if you delete your account on social media/dating websites and there are personal/private chat messages there.

Under GDPR, would these have to be deleted by the controller?

So for instance, if a site has a 30 day ‘cooling off’ period when you delete your account in order to retrieve your account, should the controller also delete the messages after the 30days from their servers, to the extent they can’t be retrieved/looked at by them?

Or would they still be retained due to the ‘recipient’ still having them?

Malfoy123
  • 1
  • 1
  • does this help https://law.stackexchange.com/questions/30951/facebook-vs-gdpr-private-messages-i-sent-to-others-will-never-be-deleted-erase – Lag Aug 05 '20 at 10:03
  • I’ve read through it and couldn’t quite understand it.

    So want a ‘kind of’ definite answer.

     – Malfoy123 Aug 05 '20 at 10:09
  • Basically, if they only delete one side of the conversation, would the account be anonymised to the point the messages couldn’t be linked back to a certain account etc? – Malfoy123 Aug 05 '20 at 10:10
  • You arent going to get a definite answer because this hasnt been tested in court yet and the GDPR itself doesnt explicitly cover all the details you want covered. Thats the problem with the GDPR, it sets broad requirements and the intention is to let case law fill in the details. –  Aug 05 '20 at 19:56
  • 1
    The answer in the general case is "it depends". In wimh's answer to the related question they discussed a variety of considerations. It's likely the host relies on a lawful basis and behaves such that they are not obliged to delete the messages. The recipient may have an interest in the messages being kept until the recipient deletes them. I imagine the host would anonymise the sender's messages such that the host can no longer relate them to a person it can identify. The messages will be associated with account ID 123 but the host no longer knows who is the person represented by ID 123. – Lag Aug 06 '20 at 07:21
  • In the specific case e.g. Facebook you'd have to ask them what is their approach and how they think they comply with the law. – Lag Aug 06 '20 at 07:22
  • @Lag so what you’re saying is, after the account has been deleted they’re going to more than likely anonymise the account like you say with a random ID, but the controller (host) won’t know what account that ID relates too? So they wouldn’t be able to match it back to a specific user? – Malfoy123 Aug 06 '20 at 07:47
  • Essentially yes - my speculation is the controller would make itself unable to point to a particular individual and say this message or set of messages is what that person sent. – Lag Aug 06 '20 at 10:28
  • So the second they’re deleted, theoretically they should be anonymised and not be able to link back to a specific user? If they could, I presume they’ve failed under GDPR? – Malfoy123 Aug 06 '20 at 10:51

0 Answers0