Note a user call YIVI had previously stated that you could store a hash of the users email address to avoid the requirements of General Data Protection Regulation (GDRP) and ePrivacy Directive (EPD). This is false as hashed email addresses are still considered personal information under the regulations as it is still may be possible for the data controller to identify the actual email address associated with the hashed value i.e. the data controller still has personal information stored of the user. Pseudonymized data is still unequivocally considered personal data under the GDPR, as noted in Recital 26.
GDPR Recital 26 states "Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. "
Under GDPR & EPD a persons hashed or un-hashed email address can be considered personal information. GDPR & EPD require user consent before storing a users personal information.
Websites need a way of blacklisting malicious users i.e. add the users email address to a blacklist to prevent them logging into the website.
Similarly when a user deletes their account on a website their email address may be added to a blacklist to prevent another account being opened with the same email address for various security and management reasons.
Under GDPR a user has the right to be forgotten and can request that their personal information be deleted.
Are we allowed to keep the users email address in a blacklist if they request that their personal information be deleted ?