Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Wouldn't they also need to replace saved billing details, like address and full name, to anonymized garbage?


In Germany not; these are required by law (§147 AO, https://www.gesetze-im-internet.de/ao_1977/__147.html) to be kept for ten years.

The legal base for allowing this national rule in European law is Art. 6, 1c GDPR.


But they'd need to get rid of it in the 11th year, right? And even before then, they'd need to delete some of the earliest records for someone who has subscribed for more than 10 years. Lots of compliance traps remain.


I think something similar happens in the UK. It's generally believed here that laws telling you to retain data take precedence over the GDPR telling you to delete it. (I am very much not a lawyer, as you can doubtless tell.)


Yes. For example, HMRC requires that you keep various business records for 6 years (or longer, circumstance-specific) after the end of the company's financial year.

Generally, the rule is "Delete the data unless there's a law that requires you not to" — and the UK's implementation of the GDPR (the Data Protection Act 2018) makes various explicit exemptions for this.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: