I requested my discord account for deletion. My account was marked as restricted (the restrictions were imposed several months ago and were still marked at the time of deletion). I’m having trouble determining how long Discord will retain my data and what specific data it retains. I sent an email to privacy@discord stating that, in accordance with GDPR, I want my data deleted as soon as possible. Will this email delay the deletion of my account beyond the standard 14 days? Is it possible that this email will allow my data to be deleted sooner after account deletion? How long and what specific data will be retained after the 14 days and after my account deletion? What is the retention period for data such as email addresses and phone numbers, and what is the retention period for IP logs and metadata?
I can’t answer all of your questions, but having deleted one account, and having one being banned, I can tell you this :
- Specifying you’re in a GDPR-respecting country doesn’t change their process, because their process is two steps anyway : first deactivation, and then deletion. The deactivation window is there in case you decide to change your mind. I don’t think they can shorten it. Once the delay is passed, your account will be marked for deletion and you can’t go back.
- The GDPR actually states the deletion delay between you asking and your account being deleted is 30 days. I don’t know if it’s an upper limit or not, since I know many services who delete faster than that, but you should expect Discord to delete your account before that.
- The data Discord will delete is “everything” except your messages. All of your messages will still be there, as well as your participation and presence in servers. It will just be anonymized. I don’t recall exactly how long it takes, but I recall seeing two different usernames on my main account when I was banned : one with a random number, and then later User000000 or something like that. This is essentially what’s gonna happen to you.
- For other datas that are kept on servers, I don’t remember what the GDPR exactly states but I think a few data has to be kept (legally, as in, Discord has no choice) for one or two years ?
I remember seeing a very cool chart about the deletion process and the timelines to be respected to be GPDR-compliant, but I can’t find it anymore. I’ll try to look again, because it was really cool.
Regardless, congrats on ditching Discord ! Even if they keep a few things, it’s still a lot better to delete your account and uninstalling the app than keeping them anyway.
I also requested an account AND message deletion. That was also the reason I got into the data breach you all know about. Discord denied to delete it, so I moved ahead to the data protection agency and reported that. Now they’re working together with Netherlands on that case, but it is still pending, so I cannot tell much more about. In meantime my account stays undeleted (also because there are chats I left, which I could not manually delete any longer).
Especially on private chats there are also private information that may can identify me or tell something about my person. We have a right to become forgotten and I hope my action with the agency will make Discord deleting my messages and improve the overall situation for everyone else. I told them Discord is trying to make it maximal hard to get data deleted and that it has system.
For everyone who want to report not deleting messages to data protection agencies, first you have to reach out the real support (answer the questions to the bot in a way you get an email and than answer to this bot-email to get real support). Tell them you want to delete account and messages and request it with GDPR art. 17. If they tell you now “I can delete your account, but I cannot delete your messages”, you can write an email to your data protection agency, attaching the support messages (from begin with your own first request). You don’t need to write it to Netherlands, they translate it into English and work with them together, which is easier, because all law-things will be discussed in your native language.
I got an answer within 3 days where they told what agency has the rights to work on that case (really long, individual text, they did real work in that two or three days!) and they request the usage of my personal data to work on this case (which I gave, of course).
By the way, I also wrote another mail and attached the data breach, which was directly related to my deletion request (would never happen if they had a button to delete everything, messages included).
Before I left Discord I saw some people on my chat-list with User-jnfe8 etc, specific identifiers which means pseudonyms and no anonym-accounts. I don’t know if User00000 is another step. But even than, the messages where bound to a chat, so I may could have figured out who those people were depending on messages I got.
Read my link to art. 17: “to erase personal data without undue delay”. What they’re doing is against the laws. Here another time, especially if you request “as soon as possible”. Another company wrote back “we have deleted everything related to you and after this mail to inform you, we delete also your mail-information”. That is the way how it should work.
Btw, cool decision. 