How long can a company retain personal data?

zombieHanalei

Hi there! Just curious, a letter recently arrived at home for my grandfather from Concern Worldwide requesting that he resume a monthly donation as he had previously signed up to donate.

Thing is, he died, in 1995, and the letter was addressed to a household he hasn't lived in since 1989!

Given that the letter contained his account number, and an address he hasn't lived at for 25 years, is there some kind of a data protection breach here??


For the record; I'm not looking to take action or register a complaint or anything, it's just a charity afterall! Just want to know at what point a company is required to remove a former customers details from their records (or if they're even required at all?)

Only thing I can think of is that he probably never formally closed the account, but why wait 19 years to get in touch after all donations and communication ceased from my grandfather?!

notmymark

From the Data Protection website:

A data controller who holds information about you must:
- get and use the information fairly;
- keep it for only one or more clearly stated and lawful purposes;
- use and make known this information only in ways that are in keeping with these purposes;
- keep the information safe;
- make sure that the information is factually correct, complete and up-to-date;
- make sure that there is enough information – but not too much - and that it is relevant;
- keep the information for no longer than is needed for the reason stated; and
- give you a copy of your personal information when you ask for it.

Essentially they can keep the data as long as they need to use it for the agreed reasons. Considering we don’t know what the agreed reason was, it’s quite possible that they are entitled to keep the data until, like you said, he closes the account, etc.

Having done some work for charities before, a lot of them simply don’t have the resources to be contacting people in their database to ensure everything is up-to-date. Instead they will normally update the database when told circumstances have changed.

It does seem strange given the very long periods of non-communication to suddenly start again. Only they can give you a reason for this. All you should have to do is contact them and tell them to update their database on him.

Ken.

How strange you posted this today as I received just 10 minutes ago an email from a recruitment agency/website I signed up to a while ago.

Ken:
This Message is to let you know that your CPM Ireland careers service account has been removed from our database.

The account has been inactive for over 999 days, therefore we have had to remove your details to comply with data protection. If you would like to get your account re-activated, please contact us via the details on the web-site within 366 days and quote the username:

slimjimmc

Moved to Legal Discussion. Note their charter applies.

Manach

In the EU Directive implementation there is an onus to keep the personal data relevant. This might entail the data processor having a self-imposed deadline to delete the data if complications. As well, my understanding in the OP's case that the legislation on data protection applies to living people. So while theoretically then they could keep the data indefinitely, there would really be no point for them to do so.

Victor

Check with the charity to see this is genuine and not a scam.

zombieHanalei wrote: »

Given that the letter contained his account number

Bank account number? :eek:

You meant to not open other people's post - it can be an offence to do so.

zombieHanalei

Victor wrote: »

Check with the charity to see this is genuine and not a scam.

Bank account number? :eek:

You meant to not open other people's post - it can be an offence to do so.

No not bank a/c no., twas some kind of a Concern Customer Account number.

Letter wouldn't have been opened but for the fact my teenage brother who was born a few years after my grandfather died was named after him, so at home they thought the letter was for my brother!

Definitely not a scam either, I rang them and they were happy to remove his details from their system, didn't make an issue out of it all as it's a charity and I don't really think it's that big of a deal anyway.

I just find it odd they still had him on their system after such a long time and was curious to know the legal obligations of companies when it comes to retention of personal data is all really

DublinWriter

zombieHanalei wrote: »

Thing is, he died, in 1995...is there some kind of a data protection breach here??

No...under Irish Legislation a data breach can only happen to a living person.

conorh91

As mentioned above, the DPAs only apply to personal data relating to living individuals.

There is no upward limit on how long a data be maintained. But it should be no longer than is necessary, having regard to the purpose of the data.

Many firms (including this website) will maintain some data for up to six years, because of the time limits set out in the Statute of Limitations.