Can Slack really claim not to be a data controller?

Question

I'm an EU resident. I just sent in a GDPR removal request to Slack. Their response:

Per our Terms of Service and Privacy Policy, your Workspace Primary Owner (Customer) controls Customer Data. Customer owns all of the submitted content, including profile information, and Slack processes Customer Data on the Customer's behalf: https://slack.com/privacy-policy#collect.

A Workspace Primary Owner, as the data controller, is responsible for determining whether profile information requires deletion. If you wish, you may also want to reach out to your Workspace Primary Owners as we can only delete profile information upon their request.

If you have any questions about this process, please refer to this page in our Help Center: https://get.slack.help/hc/articles/360000360443-Delete-your-profile-info-from-Slack

Somehow this doesn't feel right. Slack claims that the organisation (or person in many cases) running the Slack is the data controller, but the "data controller" doesn't even have normal access to more than 10000 messages if they're not paying Slack. Does this make sense legally?

And what if this "data controller" doesn't comply to my request? Or is dead or doesn't even exist anymore? Isn't it Slack's responsibility to remove my data in this case?

This reddit thread is related. Which got me to 1a of [Article 17 of the GDPR], that states

the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

To me this clearly applies to most (probably all) of the Slacks that I was on, since most of my data (i.e. messages) are not even visible anymore. Is this correct?

Answer 1

The GDPR's right to erasure just applies in some specific situations. While messages you wrote on Slack are personal data, they are generally also part of a larger discussion with others. If your messages are removed, the discussion becomes incomplete, so that will violate the freedom of expression of those others. Art. 17(3) GDPR provides an exception for the right of erasure in such cases. So basically, whoever is the controller, you probably don't have the right to have your messages to be deleted. However, you would have the right to have your account pseudonymized like Slack replied in the Reddit post you linked to. See also my answer in "Does a user have the right to request their forum posts deleted?".

Basically, it is correct that Slack can be just the processor. Even if the controller cannot get access to more than 10000 messages unless they pay. However, Slack is not allowed to do anything with those messages, except when the controller says so.

In its Privacy Policy, Slack distinguishes between customer data and other data. It states to be the processor for the customer data, but controller for the other data. Because those are tied together, I am not sure this distinction can be made. If not, Slack and the customer will be joint controllers, but it requires probably a court case to decide on that. For example, the Court of Justice of the European Union has ruled (in the Fashion ID case) that putting a Facebook "like" button on your website, makes you a joint controller together with Facebook. And (in the Wirtschaftsakademie case) that also creating a Facebook "fan" page makes you a joint controller. But neither of those are very similar to the situation with Slack.