GDPR for customer accounts : As an online sales site, the deletion of old accounts must be carried out in accordance with the provisions of the European Union’s General Data Protection Regulation (GDPR). Here are some important rules to follow when deleting old accounts in compliance with the GDPR:
Inform users: before deleting old accounts, you must inform the affected users of the deletion of their account. You can do this by email or by posting a notification on the website. The notice must specify the reason for the deletion and the date on which it will take place.
Comply with retention periods: the GDPR imposes retention periods for certain personal data. You must ensure that you comply with these periods before deleting accounts. If you retain data beyond the allowed periods, you risk violating the GDPR.
Allow access to personal data: users have the right to access and export their personal data. You must allow them to access their data before deleting their account.
Erase personal data: you must erase all personal data of the users after the deletion of their account. This includes purchase, payment, billing, and profile data.
Take security measures: you must take appropriate security measures to prevent the loss or unauthorized access to users’ personal data during the deletion process.
Provide recourse: if users have concerns or complaints regarding the deletion of their account, you must provide them with a recourse. This may include a claims process or the ability to contact a Data Protection Officer.
What are the deadlines?
| Rules for deleting old accounts | Timeframes in months |
|---|---|
| Inform users of the deletion of their account | N/A (may vary depending on contract terms) |
| Respect retention periods for personal data | 1-10 months |
| Allow access and export of personal data | 1 month |
| Erase all personal data after deletion | 1-3 months |
| Take appropriate security measures | N/A (ongoing) |
| Provide a remedy for users | 1 month |
Internal procedure to comply with GDPR
Identify inactive user accounts: The Data Protection Officer (DPO) or the team responsible for managing accounts must identify inactive accounts that need to be deleted in accordance with the terms of the contract and the GDPR.
Inform users of the deletion of their account: The team responsible for managing accounts must inform affected users of the deletion of their account via a notification sent by email or displayed on the website. This notification must explain the reason for the account deletion and the date it will take place.
Comply with retention periods for personal data: The DPO or the team responsible for managing accounts must ensure that all users’ personal data is kept in compliance with the GDPR requirements and the company’s internal policy.
Allow access and export of personal data: Users must be able to access and export their personal data before their account is deleted. The team responsible for managing accounts must provide clear instructions to users on how to access and export their personal data.
Erase all personal data after deletion: The team responsible for managing accounts must delete all users’ personal data after their account has been deleted.
Take appropriate security measures: The team responsible for managing accounts must take all appropriate security measures to prevent the loss or unauthorized access to users’ personal data.
Provide recourse to users: If users have concerns or complaints regarding the deletion of their account, the team responsible for managing accounts must provide them with a recourse by providing information on how to file a complaint and by providing a point of contact for the company’s Data Protection Officer.
Comply with GDPR for customer accounts: GDPR source
| Rules for deleting old accounts | GDPR Articles |
|---|---|
| Inform users of the deletion of their account | Article 13(1)(c) of the GDPR |
| Comply with retention periods for personal data | Article 5(1)(e) of the GDPR |
| Allow access and export of personal data | Articles 15 and 20 of the GDPR |
| Erase all personal data after deletion | Article 17(1)(a) of the GDPR |
| Take appropriate security measures | Article 32 of the GDPR |
| Provide recourse to users | Article 77 of the GDPR |
