Case Proposal: User's data may be kept for an undeterminate amount of time

I propose the following data to be a new case:

Fields Data
Name User’s data may be kept for an undeterminate amount of time
Description There is no stated limit on data retention period for user’s data. Furthermore, the data is kept in full form, not anonymized in any way, for an undetermined amount of time.
Classification bad
Topic Topic Personal Data (ToS;DR Phoenix)
Weight 60
2 Likes

The proposed case is similar to Case 304: The service may keep a secure, anonymized record of users’ data for analytical purposes even after the data retention period, but the data is not anonymized at all.

Also similar to Case 178: This service keeps user logs for an undefined period of time, but it’s not just logs, but all of the user’s data.

I realized we don’t have a case for this situation yet. The weight should be stronger than any of these other cases.

Also, I propose this case in the Personal Data topic, but perhaps we could have a topic specific to data retention and move those cases there?

3 Likes

Could you provide an example for which this case would apply?

Usually when user’s data isn’t deleted, it’s to comply with legal obligations or for business reasons, which fits with Case 333 : This service may keep personal data after a request for erasure for business interests or legal obligations, but if you found a point only fitting with the case you’ve proposed it’d be worth creating it.

2 Likes

It it similar to Case 333, but applies to the data retention period, not a request for erasure.

An alternative would be to change Case 333 to be more general, like “Some personal data may be kept after the end of the data retention period or a request for erasure for business interests or legal obligations”.

The example I have is from Kalunga which is in Portuguese.

Porém, em decorrência de razões legais ou regulatórias, em cumprimento à ordem judicial, em atenção a legítimos interesses da Kalunga, ou por qualquer outra base legal justificável, ela poderá armazenar por período de tempo superior.

However, due to legal or regulatory reasons, to comply with a judicial order, in attention to business interests of Kalunga, or for any other justifiable legal basis, she may keep it for a longer time. (my own translation)

3 Likes

You’re right, I have always annotated points without paying attention to that difference :grimacing:. Many points linked to Case 333 probably wouldn’t fit with it if it only applied to requests for erasure, so I think that we should rephrase it so that it becomes more general as you suggest.

We could move all cases applying to data retention period into the Topic Right to Leave The Service (ToS;DR Phoenix)

2 Likes

Agreed. In that case, let’s do that, and then we don’t need the one I proposed on this topic.

Yeah, I think that would make sense.

2 Likes

Considering there were no negative replies to the changes proposed in the last message, I have renamed and moved the following cases.

Case 303
  • Moved topic “Personal Data” → “Right to Leave the Service”
Case 304
  • Moved topic “Personal Data” → “Right to Leave the Service”
  • I think the weight of 40 may be too large for this case, but I’ve left it unchanged because we have not discussed it yet
Case 333
  • Renamed title “This service may keep personal data after a request for erasure for business interests or legal obligations” → “Some personal data may be kept after the end of the data retention period or a request for erasure”
  • Changed description “If you request the deletion of your data, they may still keep it for business interests (fraud detection, transactions…) or legal obligations (tax, legal reporting…)” → “After the end of the data retention period and/or if you request the deletion of your data, they may still keep it for business interests (fraud detection, transactions…) or legal obligations (tax, legal reporting…)”
  • Moved topic “Personal Data” → “Right to Leave the Service”

For the following cases, I have considered moving them to "Right to Leave the Service, but I’ve left them alone for now:

Finally, to be clear, with these changes the proposal I made in the original post is no longer necessary.

3 Likes

I’m reopening this discussion because although I didn’t notice it in the first place, the current title for case 333 could be improved to reflect the purposes of data retention:
Some personal data may be kept for business interests or legal obligations
I believe the wording “kept” implies “after the end of the data retention period or a request for erasure”, which is already precised in the description.

Otherwise it is vague for someone that doesn’t take the time to read the case’s description imho.

Edit: It has now been implemented: Case 333: Some personal data may be kept for business interests or legal obligations

1 Like

Sure, I’m ok with the change you propose.

1 Like