1

This question is from a SAAS point-of-view. If a user exercises their Right to be Forgotten under GDPR, what happens to their billing information?

Good practice suggests you should delete card info as soon as a customer cancels their account, but what about other details like email or billing address? If all these info are deleted, how can we justify where we got the funds from?

shivam
  • 119
  • 4
  • 5
    This is more of a legal question than a technical one, so might get more useful answers from law.se. However, Article 17 (https://gdpr-info.eu/art-17-gdpr/) includes the exclusion "for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject" - in other words, if you need to keep it for accounting purposes (a legal obligation), you can keep it for as long as that requirement lasts. Check with a legal professional before relying on this though! – Matthew Feb 12 '18 at 11:03
  • You must keep invoices for 10 years. But I'm not sure about which other billing information you may/must keep. – CodesInChaos Feb 12 '18 at 11:37
  • 1
    This may vary from state to state though. And as Matthew already said: consult with someone who is a professional if this is a matter of importance. – Tom K. Feb 12 '18 at 11:59

0 Answers0