On Mon, Jul 09, 2018 at 12:09:54PM -0400, Stephanie Perrin ([log in to unmask]) wrote:
> As to deleting the records of applicants who were rejected...you do
> need to keep them long enough for individuals to ask for access
> under the GDPR.
Yes.
> Let me get back to you with a proposed retention schedule on that.
Note NCSG Charter 2.7, too (although of course law will override
it in case of conflict).
> I also see no problem in keeping just the name and country, with the
> date of application and reason for rejection, in order to inform
> future committees in the event of persistent application.
I would tend to agree, although that is a bit of a grey area - I don't
know of any precedents. Might be worth asking some DPA.
--
Tapani Tarvainen