Have you said or done anything that might make this company think a legal claim might be possible? Do you think that there are any circumstances of which they are aware that might give rise to such a claim?

Absolutely not. I have made it quite clear I want absolutely nothing more to do with them and I have even said that I would happily waive any rights I have to engage in legal action against them. Not sure that's possible though.

This is a point of law, that they are simply misinterpreting that section of the Act.

I have treated this as an interesting exercise in legal research. I have yet to find a definitive answer. There is some oblique commentary, such as in this set of guidelines by the European Data Protection Board, relating to search engine cases - https://edpb.europa.eu/our-work-tool...rch-engines_en.

However, all the references to the exemption in Article 17.3(e) are brief and oblique. If there have been any decided cases on the point, whether in the EU or UK, I have not been able to find one.

I agree, there seems to be very little case law or guidance on the matter in the UK at least. I think at least it may be worth going back to the ICO and seeing if you can escalate the matter by pointing to their own guidance which contradicts what they have told you. For what its worth, in my opinion the exception in Article 17.3(e) should only apply if legal proceedings are contemplated or imminent not just a theory that it could be a possibility proceedings might occur sometime in the future, as the ICO guidance states.

Even if they could rely on the exemption, you could argue that they should nevertheless comply with the data minimisation principle and consider what information do they really need to hold on to and retain. For example, would it be acceptable to have your full name and address and a description of the order/invoice? Why do they need to retain your email address for legal proceedings or your telephone number, can they not be deleted?

Anyway, there is a helpful website set up by NOYB (None Of Your Business, Max Schrems the guy who sued Facebook around transfers of data) called GDPRHub and it contains contributions from people around the world and particularly the EU on commentary of the GDPR, enforcement by data protection regulators and case law - see https://gdprhub.eu

Specifically, there is a handful of reported case law on Article 17.3(e) below which may or may not be relevant to you as you'd have to find a translation of the judgment and then read it.

https://gdprhub.eu/index.php?title=C..._17(3)(e)_GDPR

Atticus & Rob,

Many thanks for your educated responses, which is currently more than I am getting from the ICO. I have repeatedly asked them to escalate this matter to a more senior member of the ICO for clarification of Article 17 (3) (e), yet the only response I have so far had is simply to go back to the company and ask them! Quite unprofessional and I am unimpressed with them thus far.

I agree with everything said above, and have already relayed this to the ICO, without any meaningful response. I will obviously need to lodge a separate complaint with the ICO if the current operative continues to refuse to refer the matter upwards.

Thanks for the GDPRhub link, I will make my way through anything they have. and report back as I agree, this is a very interesting exercise in legal research!

I rarely give up, so I am determined to get a result.

Just an update: The person dealing with this at the ICO has closed the complaint, maintaining that the company is able to keep personal data on a "just in case" basis. Clearly this is nonsense.

Obviously I now need to lodge a complaint to the ICO, who don't seem capable of doing their jobs. Everything I've read says that a "just in case" basis is completely wrong.

EDIT: I have just read that if I am challenging the ICO's interpretation of the law, which I am, then the only recourse is legal action. Normally one would be able to raise a complaint through one's local MP, via the Parliamentary & Health Service Ombudsman about their decision, but not if it is a challenge of interpretation.

So effectively, that's it. The ICO's way out when things get tough. Pretty poor I'd say.

Appeals would go through the First Tier Tribunal, which would come at a cost if you wish to pursue it. Typically, legal costs are not awarded in the Tribunal if you lose unless you are deemed to have acted unreasonably in bringing the appeal. Obviously you would need to decide whether it is worth your time doing that but then maybe your better option would be to go down the county court route directly against the data controller and seek a small sum of compensation for the inconvenience and distress (if any) as well as an order to delete the information - you will then have a final decision on the matter.

If I lived in the UK I would do just that. However, I think the ICO has deliberately shut this down because they know that living o/s makes it very difficult to do anything (so I assume). I'm not looking for any financial benefit, just the correct outcome.

Is there a reason you did not mention this earlier?

Why should it be relevant ?