"The right to erasure" is not an absolute right for anyone to get all their data deleted. If the data owner (read: the registrars) still have a legal right to collect and maintain the data public and it has not been revoked one could argue that they (security trails) don't have to remove the data.

It's my understanding that the registrars are the ones with the burden here. They need to inform everyone of the data erasure and/or data updates on private information. Fun times when you have public information for anyone to gather on the internet. It could be that there are exemptions for these kind of services, I do not know, but would the exemption not also include the services that aggregate/collect historic information as well?

Disclaimer; I am not a lawyer. I am not well versed in GDPR. Anyone finding this interesting should go read up on GDPR.

>one could argue that they (security trails) don't have to remove the data.

It doesn't work that way. The "right to be forgotten" can be used to remove search results from Google, even if the original content stays up.

Interesting! From a quick google the following wikipedia citation seems to what you are referring to: Grounds for removal include cases where the search result(s) "appear to be inadequate, irrelevant or no longer relevant or excessive in the light of the time that had elapsed."[1]

Under GDPR, Security trails (company or person that operates it) could be classified as a "Data controller" [2] and then would of course be liable to delete information gathered about a person upon request and when the data is deemed to be "inadequate, irrelevant or no longer relevant or excessive". So for example, John Doe wants to remove the historic information that he used to own porn.com which he doesn't anymore.

However, I do not think it's clear that you have to delete the data for the current owner of porn.com due to his or hers need for privacy as long as they have collect the information lawfully.

As an actual advice to the people at security trails I would recommend they put up clear instructions on how to request a data erasure from their database. Like "Email erasure@securitytrails.com to request removal of your personal information" and what information they need to delete it.

[1] https://en.wikipedia.org/wiki/Google_Spain_v_AEPD_and_Mario_...

[2] https://en.wikipedia.org/wiki/General_Data_Protection_Regula...

Edit: formatting

Actually the first thing Security Trails have to do is to figure out under which legal basis they think they have the right to process personal data. This is fundamental to figuring out their duties. I strongly suspect they don't have a legal basis in GDPR terms and therefore would need to rely on consent. The much publicised "right to be forgotten" is the very least of their worries.

> The interesting thing is, that the law seems not to forbid to store the data outside of Russia, it "just" dictates that the data has to be stored in Russia also.

Correct! I was on a team trying to architect a solution for this and the requirements was really diffuse. We ended up doing a DB "replication" (via triggers) to a Russian cloud provider after the data had been committed in a european data center. The lawyers signed off on it but there were no clear guidelines from the Ministry of Communication (http://minsvyaz.ru/) on what was OK from an tech implementation view.

However, I feel that the best solution for solving it was to have all Russian traffic routed through something like a reverse web proxy which would first write the data to servers located in Russia or fail the request.

Since you may not reliably determine the citizenship via traffic routes, probably, it's better to ask user during signup about his country (simple pre-filled "Where are you from?" question, true answer on which is required by ToS) and then route his data through a native (Russian, Chinese etc) server, which can store it and "request" further processing overseas (this fulfills all the requirements of the law, including both storage and primary processing).