If user foo@gmail.com violates our ToS and I suspend them, I can keep that email address forever to keep them from signing up again. They can’t just say “GDPR! You have to forget me, tee-hee!”
replyThis can be implemented without storing it. They could store a hash. No idea what they actually do.
replyA hash of a public identifier like an email is personally identifiable data.
replyIsn’t the entire point of a cryptographically secure hash that you can’t derive the original information?
replyYou can't derive the original better than guessing. With public identifiers you can just take a list of them and guess with those. If someone asks for your email they can hash it themselves and compare it against whatever databases.
replyYou can always encrypt with a public key instead of hashing.
replyGDPR says you are not allowed to store my data just because. If you have a good enough reason, everything is allowed.
reply