Another point, what about "personal data" that isn't really? Webserver log, for instance, contains an IP, which is covered under the law as personal information I believe. This is could be part of carrier grade Nat serving thousands (or even just regular Nat of 2 or 3 people), must I delete everyone? Who's keep would these be encrypted with in your solution?
Webserver logs should for most intents be covered under legitimate interest as part of securing your network. As long as you rotate your server logs, which is default for any distro installation (AFAIK), you don't have to delete those when a user requests them.
Most companies collect and centralize logs, making logrotate irrelevant. What prevents a company from having decade long rotations? Also, who decides what is a legitimate interest?
Even centralized logs can have rotation and retention.
The company will have to decide for themselves, primarly, if some interest is legitimate.
This means you weigh the data you collect by the single user against the continued function of the company, the great good and all other users. The company should then be able to demonstrate this process to the regulatory body.
There is no nailed process but keeping logs for a short amount of time to ensure network security and keeping some logs longer for legal compliance will most certainly pass as legitimate interest.
Network security benefits the user themself, the company and all other users by ensuring their data is secured against breaches. It goes beyond simple self-interest of the company and protects the users too.
Similarly having an email address to contact a user can be legitimate interest. If you only send them informative mail, ie "Someone changed your password" and "We had a databreach" or even "Someone tried to login from Uganda using your password, check if that's alright please" it serves primarly to protect you, the customer and the relationship you build up.
IMO that means it's legitimate.
On the other hand, of course an adcorp could claim their personal tracking data is legitimate. The data collected does not benefit the user other than showing them ads and selling it to others. Of the three groups, only one benefits.
Or keeping a webserver log for 20 years including usernames and emails.
IMO that would mean it's not legitimate.
If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
If you think they are wrong about that, the best option is to write them back and explain why you think it's legitimate. You can work out a solution with them that satisfies both sides.
> Even centralized logs can have rotation and retention.
That was a response to the comment about the default installs in most distros, not the ability of centralized services to rotate logs. It was pedantic and I regret derailing the discussion with it.
> The company will have to decide for themselves, primarly, if some interest is legitimate.
Until a regulator comes and makes a separate decision, and you have to plead with them that you're not wrong even when they think you are.
> If you are wrong in what you think is legitimate, you get a sternly worded letter from your favorite regulatory body asking you to fix it.
From a regulatory body that has no real authority over me, except it might?
I think my biggest issue is that I don't deem data a company has on me _my_ data or that they have to explain everything they do with _their_ data about me. I was never under the impression that it was my data, and in fact, I assume anything I put on a computer I don't control or have a paid, contractual agreement around is public. I fundamentally don't agree with or understand the premise that the situation is otherwise.
(The biggest exception being that I do expect companies to honor their contractual obligations under their credit card processing agreements, but that's not really about _me_ or data about me.)
