How to comply with GDPR principles when deleting user accounts on an e-commerce website

How to comply with GDPR principles when deleting user accounts on an e-commerce website

Le

GDPR for customer accounts : As an online sales site, the deletion of old accounts must be carried out in accordance with the provisions of the European Union’s General Data Protection Regulation (GDPR). Here are some important rules to follow when deleting old accounts in compliance with the GDPR:

Inform users: before deleting old accounts, you must inform the affected users of the deletion of their account. You can do this by email or by posting a notification on the website. The notice must specify the reason for the deletion and the date on which it will take place.

Comply with retention periods: the GDPR imposes retention periods for certain personal data. You must ensure that you comply with these periods before deleting accounts. If you retain data beyond the allowed periods, you risk violating the GDPR.

Allow access to personal data: users have the right to access and export their personal data. You must allow them to access their data before deleting their account.

Erase personal data: you must erase all personal data of the users after the deletion of their account. This includes purchase, payment, billing, and profile data.

Take security measures: you must take appropriate security measures to prevent the loss or unauthorized access to users’ personal data during the deletion process.

Logiciel RGPD

Provide recourse: if users have concerns or complaints regarding the deletion of their account, you must provide them with a recourse. This may include a claims process or the ability to contact a Data Protection Officer.

What are the deadlines?

Rules for deleting old accountsTimeframes in months
Inform users of the deletion of their accountN/A (may vary depending on contract terms)
Respect retention periods for personal data1-10 months
Allow access and export of personal data1 month
Erase all personal data after deletion1-3 months
Take appropriate security measuresN/A (ongoing)
Provide a remedy for users1 month

Internal procedure to comply with GDPR

Identify inactive user accounts: The Data Protection Officer (DPO) or the team responsible for managing accounts must identify inactive accounts that need to be deleted in accordance with the terms of the contract and the GDPR.

Inform users of the deletion of their account: The team responsible for managing accounts must inform affected users of the deletion of their account via a notification sent by email or displayed on the website. This notification must explain the reason for the account deletion and the date it will take place.

Comply with retention periods for personal data: The DPO or the team responsible for managing accounts must ensure that all users’ personal data is kept in compliance with the GDPR requirements and the company’s internal policy.

Allow access and export of personal data: Users must be able to access and export their personal data before their account is deleted. The team responsible for managing accounts must provide clear instructions to users on how to access and export their personal data.

Erase all personal data after deletion: The team responsible for managing accounts must delete all users’ personal data after their account has been deleted.

Take appropriate security measures: The team responsible for managing accounts must take all appropriate security measures to prevent the loss or unauthorized access to users’ personal data.

Provide recourse to users: If users have concerns or complaints regarding the deletion of their account, the team responsible for managing accounts must provide them with a recourse by providing information on how to file a complaint and by providing a point of contact for the company’s Data Protection Officer.

Comply with GDPR for customer accounts: GDPR source

Rules for deleting old accountsGDPR Articles
Inform users of the deletion of their accountArticle 13(1)(c) of the GDPR
Comply with retention periods for personal dataArticle 5(1)(e) of the GDPR
Allow access and export of personal dataArticles 15 and 20 of the GDPR
Erase all personal data after deletionArticle 17(1)(a) of the GDPR
Take appropriate security measuresArticle 32 of the GDPR
Provide recourse to usersArticle 77 of the GDPR
DPO Partagé
DPO Partagé
Looking for a DPO? Entrust your mission to DPO PARTAGE - Contact us at +33 (0)7 56 94 70 90 or by email at contact@dpo-partage.fr. DPO PARTAGE is the leader in DPO services for health and sensitive data.

Intéressant ? Partagez-le !

Newsletter

Audit gratuit Conformité RGPD

spot_imgspot_img

A ne pas manquer !

Encore plus d'actualités
Informations RGPD

Xerox Corp is reportedly the victim of a major cyberattack.

Xerox Cyberattack by Incransom : on December 30, 2023,...

Turning GDPR Compliance into Competitive Advantage: Unveiling the New Guide for American Enterprises

In a world where data protection and regulatory compliance...

Web Analytics and GDPR Compliance: How Website Hosts Can Adhere in France

Web Analytics and GDPR, CNIL's Position: Website hosts using...