9

Note a user call YIVI had previously stated that you could store a hash of the users email address to avoid the requirements of General Data Protection Regulation (GDRP) and ePrivacy Directive (EPD). This is false as hashed email addresses are still considered personal information under the regulations as it is still may be possible for the data controller to identify the actual email address associated with the hashed value i.e. the data controller still has personal information stored of the user. Pseudonymized data is still unequivocally considered personal data under the GDPR, as noted in Recital 26.

GDPR Recital 26 states "Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. "

Under GDPR & EPD a persons hashed or un-hashed email address can be considered personal information. GDPR & EPD require user consent before storing a users personal information.

Websites need a way of blacklisting malicious users i.e. add the users email address to a blacklist to prevent them logging into the website.

Similarly when a user deletes their account on a website their email address may be added to a blacklist to prevent another account being opened with the same email address for various security and management reasons.

Under GDPR a user has the right to be forgotten and can request that their personal information be deleted.

Are we allowed to keep the users email address in a blacklist if they request that their personal information be deleted ?

2 Answers2

17

GDPR & EPD require user consent before storing a users personal information.

Wrong.

User consent is one of the ways that justify storing personal information, but there are others.

You may check art.6 to see the several reasons that allow to store personal information.

In this case, it seems reasonable to justify it under the paragraph f

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Of course, that means that the data has to be used for this purpose. Avoiding spammers and other banned users would be such a purpose, but you should ensure that you do not send those e-mail address commercial information or even a Christmas greeting.

In any case, be careful with anything you store. If along with the e-mail you stored more info, this could be interpreted as excessive and beyond the scope of paragraph f. For example, imagine storing "User wrote nazi statements" explaining why the e-mail is banned; EU laws are very restrictive about storing information about political or religious beliefs.

SJuan76
  • 6,676
  • 1
  • 28
  • 31
8

The article 17 right to be forgotten aka the right to erasure is not absolute.

Assuming you lawfully recorded the email address, if the email address is necessary for the purpose for which you collected or otherwise processed it then you aren't obliged to erase the email address on request.

Seems to me you have a 'legitimate interest' under article 6(f) to store the email address - if it's personal data. An email address isn't necessarily personal data.

(Your right of freedom of expression, with regard to what your platform publishes/serves to the public, may be relevant, in which case the right to erasure cannot be applied.)

GDPR & EPD require user consent before storing a users personal information.

GDPR does not require consent. Consent is one of the six lawful bases (see Article 6) for processing personal data.

The EPD seems irrelevant in the context. You do not want to market to these email addresses. You do not want to store data on their devices.

[edit]

I contacted the Information Commissoner's Office for guidance. The ICO is the UK's data protection authority. The guidance was:

  • If you can justify the necessity of keeping the email address on the blacklist it is lawful to keep it

  • The rights to object and to erasure are not absolute and can be refused in some circumstances, e.g. when the organisation can justify that it's necessary to keep the data

  • An automated process for refusing erasure requests in the context is lawful provided you can justify refusing each request

I recommend you seek guidance to satisfy yourself about your particular circumstances and concerns.

Lag
  • 20,104
  • 2
  • 46
  • 76