The GDPR replaces the right to be forgotten with the right to erasure.
But article 17 also gives the following grounds for refusal:
Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
1) for exercising the right of freedom of expression and information;
2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5) for the establishment, exercise or defence of legal claims.
The first example is effectively a carte blanche to argue nearly any request for refusal in court.
The second one allows member states to pretty much tell companies not to delete information, whilst this was set up with compliance in mind, the wording has likely been formatted to also fit other needs such as security and state monitoring.
The third one pretty much allows you to keep medical records and insurance information.
The forth one is similar to the first with celebrities, public figures and major events in mind (the Gawker clause).
The fifth one has been singled out by dating sites and other services such as ride sharing apps as the reason for them to keep data.
I am not a lawyer this isn't a legal advice, speak to a legal firm or an auditor for proper advice.
I have been working on a few GDPR compliance projects internally for the past year and I've had to speak with quite a few lawyers and they all pretty much said it's actually far better for most companies than the existing framework as long as they can automate data discovery and know where they data comes from and where does it go.
You can fight the right to erase the data of a user pretty easily, what you cannot cockup (Art. 15, 20 and 21 of the GDPR primarily) is the ability to disclose what data you have on them and what is it used for which is like I've previously stated the tricky part for most cases.
And as far as I can see Tinder pretty aced the tricky part.
But what you are forgetting is Tinders (or any other companys) legal merrit for storing your data in the first place. Generalizing the Regulation; In most cases Tinder or any other only have the right to store (process or transmit to a third party) you data if you have given explicit consent. And you can revoke your consent.
So the issue is not the right to delete data in the case where you no longer use Tinder. The issue is that Tinder is simply not allowed to keep your data. In fact they must on their own initiative actively ensure they dont store data they are not allowed to, that is, on their own initiative delete your data, if you revoke your consent.
Edit: oh, and the best part. If you withdraw your consent Tinder is responsible for instructing all other companies that they shared your data with (including sold to) to delete your data (and followup that they did).
"The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal."
I'm also not sure if how did Tinder get the data (and yes it's important), Data sharing, 3rd party clauses etc. are also covered by the GDPR.
Does the GDPR can improve privacy? yes, but it really isn't the sledge hammer that people think it is.
This is a very big subject to big to cover over this channel to be frank.
Hmm but do you interpret that to be the act of processing while the consent was in effect is not retrospectively made illegal, or to mean that data shared/obtained while a concent was in effect is still legal to keep after the consent is withdrawn.
You do not have to delete the data once consent is retracted, unless it's the only basis for lawful processing and even then I'm not entirely sure if deletion is mandated as archiving is allowed.
Also (from B&B):
"Individuals can require data to be ‘erased’ when
there is a problem with the underlying legality of
the processing or where they withdraw consent."
This is also a bit vague but it looks like withdrawing consent does not invoke deletion explicitly, it might simply change the lawfulness of processing which might require you to delete data if it's you only use consent as the basis of your LP.
However explicit consent is also not the only way to do "lawful processing" there are other ways to keep and get data.
Tinder can claim lawful processing after a retraction of consent with other allowances under Article 6:
1) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
2) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The 2nd one is pretty straight forward this is in essence a third party clause loophole, and the first one can be used by Tinder or the likes specifically in such cases where they would need to give data to the authorities in the such cases as sexual assault or harassment.
There is also a difference with what the GDPR defines as "further processing", which what happens when you want to use information for other purposes than what consent was given for, there has to be a link but this is again vague enough to be on a case by case basis.
"Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations."
Bird & Bird has a lot of free information on GDPR and it's real world implications for companies google them :)
Completely agree that there are other basis for legality, but most of the seem to favor either the registered person or other laws. And that was sort of my thought when saying Tinder would have to delete if you withdraw consent: I would think consent would be the only grounds for processing data for a company like Tinder. Wrt 1 and 2 of article 6 you mention. I'd have though Tinder wouldnt be able to claim anything since for 1) the interest of the subject would the to delete it and 2) "Tinder making money on your data" cannot be considered a legitimate interest. And when it comes to Tinder havning to store due things like in the case of sexual assault they would still have to consider the priciples of limitation on what they use the data for (eg. cannot sell your sexual prefernces to adverticers if the only legal grounds is some law requirinh them to store data for a very scific cause), right? And then there is the whole notification to the subject thats going to be a major pain aswell.
Anyway, not a lawyer, and all the special cases you point out is probably valid. But thats why the only really interesting thing is to see the first cases and judgements on this so we can get some indication of interpretation. And ofcourse seeing EU will actually execute the high fines - if not then all this wont have any effect anyway
