Right to Have Personal Data Deleted

Anudabloke

Does anyone know what rights a commercial business might have to retain a customer's personal data given and how long the business might claim for retaining personal data? Given:

1) the business is not involved in financial services

2) there is no contract or agreement between the customer and the business

3) the goods bought online were consumables that have been consumed and the consumer has informed the business the goods were good quality - there is now no reasonable grounds for a dispute over payment/refunds.

Obviously there are concerns the consumer may receive further emails and/or have money 'mistakenly' taken from their bank account. Any insights into relevant laws regarding customer data that might be retained and periods of time for retention? (I am aware of GDPR which is vague on the reasons a business might offer for retaining data.)

DullGreyGuy

Anudabloke said:

Does anyone know what rights a commercial business might have to retain a customer's personal data given and how long the business might claim for retaining personal data? Given:

1) the business is not involved in financial services

2) there is no contract or agreement between the customer and the business

3) the goods bought online were consumables that have been consumed and the consumer has informed the business the goods were good quality - there is now no reasonable grounds for a dispute over payment/refunds.

Obviously there are concerns the consumer may receive further emails and/or have money 'mistakenly' taken from their bank account. Any insights into relevant laws regarding customer data that might be retained and periods of time for retention? (I am aware of GDPR which is vague on the reasons a business might offer for retaining data.)

Your question doesnt make any sense... you say business and customer but then state there has been no contract between the parties, so on what basis are they a "customer" if they've never bought anything etc? 

A company may have details of non-customers, such as potential customers who sign up to a newsletter and therefore there is no contract but no free news letter is going to ask for your bank details to sign up to a weekly email of new products etc. 

The retention of data will depend on what grounds the data was gathered, their privacy policy and what legitimate business purpose they may have to retain the data. 

Assuming it is an actual customer, ie someone that has at some point bought a product or service, then there will be grounds to hold data for 7 years from the date of the last contract/purchase given the law of limitations is 6 years and its prudent to add 1 year for various reasons. 

If however during the sales process the customer agreed to the business retaining payment details to enable them to do make future purchases more easily then potentially that is an openended agreement. 

eskbanker

Anudabloke said:

Any insights into relevant laws regarding customer data that might be retained and periods of time for retention? (I am aware of GDPR which is vague on the reasons a business might offer for retaining data.)

GDPR, or rather the Data Protection Act in terms of its UK implementation, is very much the relevant law governing data retention - of course it's fairly generic by necessity, so interpretation will naturally vary considerably according to different businesses and their needs to process personal data.

Does the company publish a privacy policy explaining its stance?

Ergates

Anudabloke said:

Does anyone know what rights a commercial business might have to retain a customer's personal data given and how long the business might claim for retaining personal data? Given:

1) the business is not involved in financial services

2) there is no contract or agreement between the customer and the business

3) the goods bought online were consumables that have been consumed and the consumer has informed the business the goods were good quality - there is now no reasonable grounds for a dispute over payment/refunds.

Obviously there are concerns the consumer may receive further emails and/or have money 'mistakenly' taken from their bank account. Any insights into relevant laws regarding customer data that might be retained and periods of time for retention? (I am aware of GDPR which is vague on the reasons a business might offer for retaining data.)

Retaining customer details linked to and relevant for a transaction (Name, address, what was ordered etc) for a minimum of 7 years would be pretty normal and entirely reasonable.  The nature of the goods doesn't shorten this, but could lengthen it. 

The nature of the good could also change what data would be considered relevant.  If you're selling paperclips, then collecting medical details would obviously not be appropriate, if you're selling medicines, then it could be.

Anudabloke

Thank you for the replies! FYI - The customer bought a one-time purchase of alcohol online. 

In reply to DullGreyGuy:- with regard to there being no contract I meant there is no specific (agreed) obligation regarding further purchases/transactions, there was no agreement to retain bank details. Please can you point me to the law which states a business which doesn't provide financial services has the right to retain the personal data of a one-time purchaser of their goods for seven years? I understand companies offering financial services are required to retain customers' personal data by law for six years...

In reply to EskBanker:- with respect to the company and GDPR exemptions - they have given three reasons (fraud, refund, future pay disputes) why they wish to retain personal data for one year. The reasons appear 'bogus' - the goods have already been consumed by adults; the customer previously wrote to the company to praise the quality of the goods after they had been consumed; a payment dispute about the one-time purchase would surely be a matter between the respective banks of the consumer and business? The company has been asked to specify the legal basis for retaining personal data, precisely what data they wish to retain and for a copy of their data retention policy, but there has been no response and that in itself raises red flags. Their privacy policy is minimal and vague on the matter of data retention.

In reply to Ergates:- what is considered 'reasonable' may be debated in the absence of any law - if the customer wishes to have their personal data deleted and has requested the right to be forgotten, then surely 'common practice' would not be sufficient reason for GDPR exemption? I would be interested to know how you and DullGreyGuy are informed about the 'seven year' period - is there legislation which places that obligation on a trader? I suspect they need to retain transaction data for their accounts, e.g. "50 blue widgets sold 01/04/2024 for £100.00 by paid from <bank account #>" I am having a hard time thinking of reasons to justify retaining any other personal data in this case...

DullGreyGuy

Anudabloke said:

Thank you for the replies! FYI - The customer bought a one-time purchase of alcohol online. 

In reply to DullGreyGuy:- with regard to there being no contract I meant there is no specific (agreed) obligation regarding further purchases/transactions, there was no agreement to retain bank details. Please can you point me to the law which states a business which doesn't provide financial services has the right to retain the personal data of a one-time purchaser of their goods for seven years? I understand companies offering financial services are required to retain customers' personal data by law for six years...

In reply to EskBanker:- with respect to the company and GDPR exemptions - they have given three reasons (fraud, refund, future pay disputes) why they wish to retain personal data for one year. The reasons appear 'bogus' - the goods have already been consumed by adults; the customer previously wrote to the company to praise the quality of the goods after they had been consumed; a payment dispute about the one-time purchase would surely be a matter between the respective banks of the consumer and business? The company has been asked to specify the legal basis for retaining personal data, precisely what data they wish to retain and for a copy of their data retention policy, but there has been no response and that in itself raises red flags. Their privacy policy is minimal and vague on the matter of data retention.

In reply to Ergates:- what is considered 'reasonable' may be debated in the absence of any law - if the customer wishes to have their personal data deleted and has requested the right to be forgotten, then surely 'common practice' would not be sufficient reason for GDPR exemption? I would be interested to know how you and DullGreyGuy are informed about the 'seven year' period - is there legislation which places that obligation on a trader? I suspect they need to retain transaction data for their accounts, e.g. "50 blue widgets sold 01/04/2024 for £100.00 by paid from <bank account #>" I am having a hard time thinking of reasons to justify retaining any other personal data in this case...

GDPR states they must minimise personal data that they hold but HMRC has the right to audit them up to 6 years in arrears and a customer has 6 years to sue them. The extra year is just prudence because court papers could take a while to turn up etc. It is therefore generally accepted that 6-7 years there is reasonable business justification. It's very hard to defend a court case from a customer when you've deleted all your records and dont even know if they were a customer or if the thing they bought was from you or not. 

Do you have a link to the website?

Payment disputes are not between the banks, the customer raises it with their bank, who contacts the merchant bank who contacts the seller asking if they are going to defend the claim and evidence to support their position if they do. 

It may be helpful to know the reason for the complaint now given you say you arent the customer and the customer has been happy with the transaction? 

There is a possibility they are a "high value dealer" and therefore under AML rules they'd have to keep payment details for a minimum of 5 years. If they arent then it would be hard for them to justify retaining bank details after all normal rights for return etc have expired but the name, address, what they bought etc is reasonable. Of cause you'd need to ask for a partial deletion of data for that definitively happen. 

Ergates

Anudabloke said:

In reply to Ergates:- what is considered 'reasonable' may be debated in the absence of any law - if the customer wishes to have their personal data deleted and has requested the right to be forgotten, then surely 'common practice' would not be sufficient reason for GDPR exemption? I would be interested to know how you and DullGreyGuy are informed about the 'seven year' period - is there legislation which places that obligation on a trader? I suspect they need to retain transaction data for their accounts, e.g. "50 blue widgets sold 01/04/2024 for £100.00 by paid from <bank account #>" I am having a hard time thinking of reasons to justify retaining any other personal data in this case...

For instance, consumer contracts are enforceable* up to 6 years after completion.  Therefore, a retailer has a legal responsibility to know who bought what for at least 6 years.  Under UK law, you are not allowed to waive or give up your legal rights.  The item in question having been consumed doesn't change this, neither does the positive review.  The customer could, for instance, claim "Hey, wait a minute, I paid for a 21 year old Malt, I've just looked at this empty bottle and it's only a 14 year old", etc.  If that turned out to be true, then the customer would be entitled to some form of remediation.  If the business has deleted details of the transaction then they'd have no way of confirming what, if anything, the customer had paid for.  As a random example.

* I'm certain I'm not using the correct legal terms here.

Anudabloke said:

In reply to EskBanker:- with respect to the company and GDPR exemptions - they have given three reasons (fraud, refund, future pay disputes) why they wish to retain personal data for one year. The reasons appear 'bogus' - the goods have already been consumed by adults; the customer previously wrote to the company to praise the quality of the goods after they had been consumed; a payment dispute about the one-time purchase would surely be a matter between the respective banks of the consumer and business?

None of those make their reasons for retaining data 'bogus'.