6

The GDPR gives users the right to have their stored data deleted.

How does the GDPR handle situations where the data controller needs the data to fulfil their obligations to users (specifically by allowing a software to function)?

For example:

Assume a software ("aggregator") that aggregates and displays information from a social network, to provide a more useful dashboard and notifications than what's built into the platform.

Users of the social network authorize the aggregator to access, store and display their friends' activity, and the service then notifies them when something interesting happens. This would make the aggregator (more precisely, the entity behind it) a "data controller" under the GDPR, right?.

Now if a user's friend requests deletion of their data from the aggregator, can the aggregator claim a "legitimate interest" reason to not delete that data? Since omitting friend activity from users' dashboards/notifications would mean not fulfilling the contractual obligation to the aggregator's users.

As a compromise, would it be permissible to substitute deleted information with anonymous records, like "An anonymous user commented in your discussion", given a user can trivially reference the discussion on the original platform and identify this "anonymous" user?

sleske
  • 8,856
  • 4
  • 29
  • 63
spiffytech
  • 161
  • 3

3 Answers3

1

I think in the example you mention, the aggregator is the controller because it "determines the purposes and means of the processing of personal data", see Art. 4(7). Typically the aggregator would be a joint controller with the user, however the user probably uses this for purely personal reasons only, so the GDPR does not apply to the user.

That would also mean, the controller is required to inform the data subject where that is feasible.

The GDPR gives users the right to have their stored data deleted.

Only in some specific situations. See this answer for more details. In this situation it boils down to whether Art.21(1) applies:

  1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

It is difficult to say whether such "compelling legitimate grounds" exist, but in this example, the aggregator processes data which is either publicly visible, or at least visible to the user which receives the information. So as long as the user is able to get the data also in a different way, there are not much rights taken away from the data subject. So I would say that the controller has a compelling legitimate ground to process the data. Of course, the aggregator may not use the data for other purposes, unless it also has a compelling legitimate ground to process it for that purpose.

However if advanced data analytics like profiling is done on the aggregated personal data, it may shift towards having no compelling legitimate ground to process the data.

wimh
  • 2,925
  • 11
  • 16
0

Users of the social network authorize the aggregator to access, store and display their friends' activity, and the service then notifies them when something interesting happens. This would make the aggregator (more precisely, the entity behind it) a "data controller" under the GDPR, right?.

Not quite. What happens here is that you process the friends' data on behalf of your users. They are the data controllers. Being merely at your users' service, you are only the data processor.

Now if a user's friend requests deletion of their data from the aggregator, can the aggregator claim a "legitimate interest" reason to not delete that data?

That claim would be misleading the friend into thinking that the aggregator is data controller here. The correct response would be something along the lines "We keep your data at the request of your friend X. If you want us to remove your data, talk to them."

Note though that, as a data processor, you are required to keep the friends' data secure. And if you do it, the friends should not learn of you processing their data in the first place (other than from your users).

Greendrake
  • 28,399
  • 5
  • 68
  • 134
0

Do I have a “legitimate interest” under GDPR to not delete data my software needs to fulfil its function?

You don't need to posit a legitimate interest in the example you describe.

Articles 5.1(b), 89.1, and others of the GDPR explicitly authorize collecting/archiving/operating on personal data for statistical purposes. Aggregators serve a statistical purpose.

If practicable, the anonymization of personal data you propose at the end of your post would be optimal in regard to the principle of data mininization mentioned in article 89.1.

Iñaki Viggers
  • 45,649
  • 4
  • 71
  • 96