> the company has complied with this obligation under the GDPR during the procedure, as it now has a written data retention policy, which includes deleting accounts after two years of user inactivity
I find this interpretation of the GDPR surprising. Reviewing article 5.1.e there isn't any mention of timelines or any other definition of "necessary".
As a user, I wouldn't want my account blown away just because I haven't logged in for a while.
If this was e.g., an advertiser I don't have a direct relationship with, then yeah, purge that data! But data retention is a core of my relationship with Discord, so I want that data kept around.
2.4 million accounts not used in the last 3 years. This isn't "a while" it is a reasonable amount of time for a company to assume that someone doesn't want you to keep their data any longer unless they still have some other relationship with you or have your consent to keep the data stored until you explicitly delete it.
The regulations are to strike a balance between the needs of the business and the needs of the individual where the individual's privacy should generally win over the desires of the business.
I don't feel it's misrepresentative because I've gone 2-3 year spans without logging into plenty of services, and I expected my data to be there when I returned.
I've had companies email me saying "log in or we'll delete your inactive account". That's a compromise I can accept.
This article doesn't specify whether Discord does this. I'm also curious whether that practice is required under the GDPR, which the article doesn't specify either.
I find this interpretation of the GDPR surprising. Reviewing article 5.1.e there isn't any mention of timelines or any other definition of "necessary".
As a user, I wouldn't want my account blown away just because I haven't logged in for a while.
If this was e.g., an advertiser I don't have a direct relationship with, then yeah, purge that data! But data retention is a core of my relationship with Discord, so I want that data kept around.