DP News – Week 4. Danish DPA issued guidance on retaining personal data for documentation purposes, Apple faces a $5 million class-action in New York.

The Danish data protection authority, Datatilsynet, has published its guidance on retaining personal data for documentation purposes. As Datatilsynet mentioned, the guidance “clarifies the framework for the storage of personal data solely for the purpose” of documenting that data controllers “comply with the data protection rules on consent”.

Datatisynet reiterates the provisions of the GDPR Article 11 and highlights that, if the purposes of the data controller do not require or no longer require that the data subject can be identified by the data controller, the data controller is not obliged to retain, obtain or process additional information in order to be able to identify the data subject solely for the purpose of complying with the GDPR. The authority points out that “personal data processed on the basis of the consent of the person in question, including the consent itself, must, as a starting point, be deleted immediately after the end of the processing activity”.

However, as it follows the guidance, this does not affect exceptions listed in the GDPR Article 17(3), according to which the data can be stored for longer if necessary for specific purposes, e.g., for the establishment, exercise or defence of legal claims. “Necessary” means, as the guidance explains, “that there must be a current interest in storing the information. The mere fact that the information might be nice to have “just in case” cannot therefore in itself justify longer storage”.

***

Apple is accused of improper collection of analytics data about the iPhone usage and faced a $5 million class-action in New York for privacy violations.

The iPhone Analytics privacy setting claims that it will completely stop the sharing of device analytics when turned off, and that the information collected doesn’t personally identify users. However, researchers from the software development company Mysk found that these claims were not true. When they tested the setting, they found that turning it off had no effect on analytics data sent from Apple apps, such as the App Store, Apple Music, Apple TV, Books, and Stocks. This data includes detailed information about users’ actions within these apps, including the time spent on certain pages, and which ads are seen. This could pose a serious privacy concern, as searches and downloads for specific apps can reveal sensitive information about users, such as their sexual orientation, religion, and health issues.

Additionally, even though Apple claims that the information does not identify specific users, it is still transmitted with a permanent ID number linked to iCloud accounts, which can link the data to users’ personal data such as their name, email address and phone number.