Home
Global
Contact
Among the new personal data protection laws, particular controversy is sparked by Article 17 of the General Data Protection Regulation (GPDR), which gives data subjects the right to obtain erasure of their data.
Numerous myths have surrounded that right and fuelled the fear of incorrect data processing.
However, the right to erasure is nothing new as it existed under the previous directive and the Polish 1997 Personal Data Protection Act. In focusing on the right to erasure data controllers often forget about their other obligations under GDPR, e.g. the obligation to implement appropriate procedures to prevent incidents concerning personal data. Moreover, several exceptions apply to the right to erasure.
GDPR clearly defines when a data subject may request data erasure. First, this is when the data controller no longer needs the data for purposes for which they were originally collected. For instance, a website owner decides to stop sending newsletters and no longer needs e-mail addresses to send commercial information.
Another ground for requesting data erasure is the a withdrawal of consent if the data were processed exclusively on the basis of that consent. Often times data subjects wrongly think that with their withdrawal of consent all data will be erased completely forgetting that they and the controller may be bound by e.g. a contract which requires certain data in order to be effectively performed. Similarly, a parent or a legal guardian of a minor who uses certain Internet services on the basis of the earlier consent may request erasure of data.
The erasure of personal data may be requested also if they are processed unlawfully or if they have to be erased to ensure compliance with a legal obligation imposed on the data controller.
As already mentioned, there are various exceptions to the right to data erasure. They invoke mainly the public interest and include without limitation the freedom of expression and information, public health, or statistical, archiving and historical research purposes. Furthermore, a data controller may retain personal data of the data subject who requests data erasure in order to comply with his legal obligation or for the establishment, exercise or defence of legal claims. As a consequence, whenever a request for data erasure arrives, the data controller should check if the request is well-founded – whether there are grounds for the request and whether there are any limitations.
If the above-mentioned grounds exist, the data controller should erase the personal data. GDPR imposes a further obligation to pass the information about the request to erasure to other data controllers to whom personal data have been made public. This touches upon the second aspect of the right to erasure: the so-called right to be forgotten. However, GDPR is quite vague here. First, it does not explain how secondary data controllers should respond to such information. Second, data subjects do not always want their data to be erased by other data controllers. Third, the information must be passed only if the data have been made public, not just disclosed (e.g. to another controller or processor). In sum, the right to be forgotten cannot be treated as an inextricable part of the right to erasure.
A data controller who wants to process requests for data erasure should implement appropriate procedures to demonstrate compliance with GDPR. The easiest way is to keep records of processing activities. They let the data controller group the data categories according to specific activities, purposes and legal bases of processing, so that the risk of data security breach may be reduced significantly. It is best if all company departments keep internal records of processing activities due to the different scopes of data they process. Such a procedure will ensure the transparency of processing which is one of the primary principles of GDPR.
Data controllers and data processors should also consider developing a data retention policy. Although not explicitly mentioned in GDPR, such a document may be related to one of the principles of data processing, namely the principle of storage limitation. That principle says that personal data in a form which permits identification of data subjects must not be kept for longer than is necessary for the purposes for which the personal data are processed. A data retention policy helps data controllers to control the processing activities.
The policy should explain what data the data controller processes and on what basis. However, the most important component of the policy is the period for which the data may be processed. Very often the period cannot be expressed in months or years. It depends on particular circumstances of the case. The retention period in respect of personal data processed on the basis of consent lasts until the consent is revoked. Still, it is worth reminding the data subjects of their consents to data processing and asking them if their consent is still valid. Users often forget about their consents and enterprises being prudent data controllers should make sure they can still process their data. Moreover, the maximum processing period often results from laws, e.g. in respect of employee data. The Polish Labour Code stipulates clearly for how long a former employer may process personal data of a former employee – at present, it is 50 years (which will be cut short to 10 years from 1 January 2019).
Well-structured procedures help the controller manage the data he processes and fulfil his obligations under the GDPR. Especially a data retention policy may help exercise the right to erasure which has stirred up so many myths. The policy will help the data controller assess if the data erasure is possible. The procedure often requires a prior analysis of the data processing activities in a company which may reveal further data processing issues.
Jarosław Kamiński
Attorney at law (Poland)
Associate Partner
Send inquiry
Profile
