Such information must be stored for a specific purpose, the subject must be told the purpose and consent to it. Using the information for another purpose is illegal. Giving the data to another entity, except if the subject was told this was part of the purpose, is illegal. Moving the data out of the EU is illegal, except if these rules can be enforced elsewhere.
The subject is entitled to see all information you have about them, and you must correct errors which are reported to you. You may charge a "reasonable" (most jurisdictions interpret this quite narrowly) access fee and demand some evidence of their identity.
You must destroy any information you no longer need. You should have explicit policies justifying any data retention and scoping it appropriately.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds