As has already been noted controllers must inform subjects of the period of time (or reasons why) data will be retained on collection.
Should the data subject subsequently wish to have their data removed and the data is no longer required for the reasons for which it was collected then it must be erased.
Note that there is a “downstream” responsibility for controllers to take “reasonable steps” to notify processors and other downstream data recipients of such requests.
This area of the regulation is likely to need further clarification – for example it doesn’t seem to allow for the retention of suppression or do-not-contact lists.
A brief introduction to the E-Privacy Regulation and why GDPR needs this.
Known confusingly by many names including ePrivacy, ePrivacy2, PECR2 and ePR this regulation will replaces the existing EU Directive and is designed to harmonise and enhance the GDPR. Like the GDPR it has global reach and similarly significant penalties for non-compliance. In the UK this regulation will replace the exiting PECR laws.
This legislation is designed to regulate the use of personal information across all electronic communications including telephony.
At the time of writing this legislation is still in draft with the latest version issued on the 9th September 2017. This versions still proposed the law going live simulataniously with GDPR becoming enforceable on the 25th May 2018 – with adoption expected by august 2018. It is likely that the regulation may be delayed by a few months.
This regulation is particularly important for digital marketing activity as it overrides the GDPR’s allowance for legitimate interests and enforces consent on all digital communications for marketing purposes. there will still be an allowance for the so called “soft opt-in” where customers can be communicated to about similar goods and services with an opt-out only, but it should be noted that the wording here has been tightened restricting the use to customers only.
Cookies and similar tracking technologies, when used for non-essential processes (like profiling and advertising) will require prior consent. Browser and interface manufacturers are set to bear the burdon of responsibility here by providing new mechanisms to allow individuals to manage their consent more easily. These mechanisms are yet to be defined…This is set to revolutionise (and potentially harm) the ad-tech industry which relies on such techniques (third party cookie synching, the use of device ID’s etc) for increasing ad relevency.
This regulation should lead to much more open dialogue between advertisers and data subjects – with advertisers needing to make much clearer the “value exchange”.