In the age of big data, the aim of giving natural persons effective control about what information exist about them out there seems ambitious. Nevertheless, the General Data Protection Regulation (“GDPR”) includes the principles of data minimization and purpose binding, meaning that data controllers are not allowed to retain personal data for longer than necessary in relation to the purpose they were initially collected for.
Moreover, the GDPR grants individuals the right to demand erasure of personal data relating to him or her (Art. 17 GDPR) under certain conditions that we want to briefly outline for you in this article. This claim is also referred to as the “right to be forgotten” and obliges data controllers to erase personal data without undue delay upon demand.
To which customers does the GDPR apply?
The material scope of the GDPR, including potential obligations to erase personal data, is not limited to B2C settings. B2B settings in which data subjects act on behalf of their companies may also be covered. For example, if an employee of your business customers sends an e-mail to your support team, the information contained in that e-mail this is also considered as personal data and the GDPR applies to it.
From a territorial perspective, the GDPR applies to any data processing operation in the context of the activities of an establishment of the respective data controller in the EU, regardless of whether the processing takes place in the EU or not. For example, if an EU branch of a company based in the US transfers data to a CRM system operated by the US headquarter, GDPR applies to the processing related to that CRM system.
Beyond that, GDPR may also apply to companies without any establishment in the EU, namely if they process personal data of natural persons located in the EU and the processing is, among others, related to the offering of goods or services to data subjects in the EU, irrespective of whether the service is chargeable or free.
Application of the GDPR therefore requires that the service is somehow aiming at the European market. Whether that is the case requires in-depth legal review. According to guidelines of the European Data Protection Board, an EU advisory body consisting of all data protection supervisory authorities, the scope of the GDPR covers situation in which, among others, a company
- runs marketing campaigns aiming at the EU market,
- uses EU top-level domains (.de, .eu),
- uses a language or a currency of an EU state (at least if it deviates from the language in the company’s country of residence) or
- offers delivery of goods to EU member states.
Under which conditions are customers entitled to erasure of their data?
Art. 17(1) GDPR provides a list of grounds that lead to the obligation to erase personal data. It seems obvious that one of these grounds is that the personal data have been processed unlawfully before. But the “right to be forgotten” is not only limited to that. Below, we explain only the most relevant constellations, according to our practical experience.
Grounds for deletion include that the requests concerns personal data of a child, or that the data are no longer necessary in relation to the purposes for which they were collected. According to Art. 6(4) GDPR, using data for purposes other than those for which they were initially collected is only lawful under strict conditions. If those conditions are not met, data must be erased upon demand.
The obligation to erase the data also arises if the data subject withdraws consent, which is possible at any time and not bound to conditions, and where there is no other legal ground for the processing such as legitimate interest or contractual necessity. If the processing was initially based on legitimate interests or serves direct marketing purposes and the data subject exercises his or her right to object to the processing pursuant to Art. 21(1) and (2) GDPR, erasure is also required under the conditions for valid objection.
Are there any exceptional cases allowing us to retain personal data?
Yes. Two exceptions of the catalogue of Art. 17(3) GDPR are particularly relevant for private companies. First, data controllers may be obliged by EU law or national laws of EU member states to retain certain information for documentation purposes. This particularly applies to business and tax related information, depending on the jurisdiction the data controller is subject to. In case of similar laws in non-EU states, processing may be justifiable under the aspect of legitimate interests.
Second, data may be retained for the purpose of the establishment, exercise or defence of legal claims. This may be particularly relevant for HR related information or communication with customers in case of legal disputes. This exception is limited to cases in which objectively demonstrable events indicate the possibility of a legal dispute. Data retention may be justifiable until limitation periods for the feared claims expire.
How should we practically carry out deletion?
Companies should implement internal processes for comprehensive and physical deletion. Logical deletion such as restricting access to the data for employees or references are insufficient from a legal point of view. It should be ensured that no copies are left in any databases and, where feasible, backups.
If a data subject exercises his or her “right to be forgotten”, data controllers must process any such request without undue delay and in any event within one month. Deletion should be announced to such person prior to the deletion, as a subsequent confirmation would prove that at least contact details are still retained, contrary to what has just been confirmed.
Companies should review their obligations to inform receiving third parties of the data in question where the data controller has made the personal data public, for example if the data controller provided public customer profiles as part of a platform solution.
The obligation to erase data under certain circumstances is not only limited to situations in which a data subjective exercises his or her respective rights. Considering the GDPR principle that data may not be retained longer than necessary in relation to the purpose of the initial collection of the data under Art. 5(1)(e) GDPR, companies are also required to proactively monitor whether retention personal data is required on an ongoing basis. Data controllers are also required to delete inaccurate data pursuant to Art. 5(1)(d) GDPR.
Obligations to erase information may, for example, apply to data on communication with customers (e.g. e-mails, recorded telephone calls). On the contrary, for example, if the customer maintains an account on an online platform and regularly uses it, storage may be justifiable until the customer actively terminates his or her account.
In order to standardize deletion processes and to ensure compliance with GDPR, many companies adopt data retention policies that reflect, amongst others, internal processes on data retention and erasure routines. Such policies also allow an in-depth analysis of national data retention obligations, for example stemming from tax or general business law.