TL;DR
Partially. While Discord asserts GDPR compliance—offering user controls for account deletion, account erasure, and personal data export—significant concerns remain. These include retention without clear automatic deletion, inability to bulk-delete messages via the UI, and a major CNIL fine (€800K in 2022) over data retention policies, consent or notification shortcomings, weak passwords, lack of DPIA, and more. [www.discord.com]
- Awareness of Legal Basis & Data Controller Role
- Account & Data Controls
- Data Export & DSAR Support
- Retention Policies & CNIL Fine
- Message Deletion Limitations
- Security & DPIA Updates
- User Rights
- Breach & Incident Handling
- Who Should Care?
- Final Thoughts
Awareness of Legal Basis & Data Controller Role
Discord uses legal bases such as contractual necessity and legitimate interest and designates Discord Netherlands BV as the controller for EEA/UK users, and Discord Inc. for others.
Account & Data Controls
Users who delete their accounts are anonymized: emails and personal identifiers removed. All personal data in profiles becomes scrambled, but user-generated messages (DMs, server content) remain unless manually deleted. [www.reddit.com]
Data Export & DSAR Support
Discord allows account data export via settings and supports access, rectification, deletion, portability requests—all via the app or by contacting their DPO. [www.discord.com]
Retention Policies & CNIL Fine
In November 2022, France’s CNIL fined Discord €800,000 for GDPR violations including:
- No written data retention policy
- Lack of clarity in retention periods
- Failure to inform users properly
- Weak password rules
- Neglecting DPIA obligations Discord since implemented a two-year deletion policy, stronger credentials, pop-up alerts, and DPIAs. [www.edpb.europa.eu], [www.cookie-script.com]
Message Deletion Limitations
The web UI lacks bulk message deletion—users must now request it manually via support ticket. Community reports emphasize this as a GDPR issue.
Reddit users point out:
“Discord does NOT comply with EU GDPR… right to be forgotten… messages remain even after account deletion.”
However, others argue that anonymizing data meets legal requirements:
“Anonymizing messages is enough… precedent has been established.”
Security & DPIA Updates
Post-CNIL, Discord strengthened security by enforcing stronger passwords, DPIAs, and enhanced user notifications (e.g., when voice app is still active). [www.cookie-script.com]
User Rights
Discord enables EEA/UK/Swiss users to access, correct, delete, limit, port, object to processing, and withdraw consent—all via the app or by contacting [www.privacy@discord.com]
Breach & Incident Handling
Though specifics aren’t detailed in public policy, GDPR guidelines imply Discord is responsible for breach reporting. Their improvements post-CNIL reflect this obligation.
Who Should Care?
- Private individuals: Think twice before sharing personal/identifiable details—you cannot bulk-delete content easily.
- Community admins & parents: Remain vigilant about residual content in servers and DMs.
- Privacy-conscious users: Consider submitting DM deletion requests or proactive cleanup before account deletion.
- Compliance professionals: Ensure systems align with GDPR expectations beyond “anonymization.”
Final Thoughts
Discord has taken steps to address GDPR compliance, especially after its CNIL fine—implementing data retention policies, security hardening, and DPIAs. It now provides essential tools for user data control. However, it still lacks seamless solutions for message erasure and clearly differentiates "anonymization" from full erasure, raising ongoing compliance questions.
If you're concerned about sensitive information, take action proactively—delete messages manually or contact support. For clearer compliance, consider building a compliance checklist or exploring community-driven tools to manage deletion workflows efficiently.