@noelle wait, am I misreading if there's an implied "removing information is not allowed under GDPR"? Because I'm pretty sure that would be wrong - i.e. if you have someone's PII, GDPR will never stop you from deleting it.
@zatnosk @noelle that was exactly the interpretation that was given when this came up
because apparently "deleting data" can somehow be interpreted as "processing data" and it's against the GDPR to process data without the consent of the person whose data it is
or at least that's how far I managed to reason it out before I got a headache
@troubleMoney @noelle it does apply to orgs outside EU too, but only when they touch PII of EU citizens.
@troubleMoney @noelle oh for fucks sake. "Processing data" includes storing it in your database or on your file system.
If you can delete it, you're already processing it. If you delete it, you stop processing it.
@zatnosk @noelle oh, also this apparently applies to the personal data of persons who are not citizens of the EU and to organisations that may not be based in the EU
last night was... interesting