GDPR Myth #2: GDPR requires you to delete all of a person’s data if they ask

Delete button on a computer keyboard

Does GDPR require businesses to delete all data upon an individual’s request?

The right to be forgotten is one of the key innovations of GDPR, but it’s not exactly a new right, nor is it absolute. It developed in European law in the aftermath of an important court case known as the Google vs Spain ruling. In 2010, a Spanish citizen complained about an outdated court order against him appearing on Google search results. The European Court of Justice agreed this infringed on his right to privacy and ruled that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them where the information is inaccurate, inadequate, irrelevant or excessive.

The right to be forgotten has been enshrined in GDPR as the right to erasure. This is slightly more encompassing than the original Google vs Spain rules, giving an individual the right to have their personal data erased and prevent it being processed in specific circumstances.

Read more: what should a GDPR compliant privacy policy include?

Under GDPR, when can someone ask to have their data erased?

Someone can ask to have their data erased if:

  • They withdraw consent
  • Where it’s not necessary in relation to the reason it was first collected
  • The data was processed unlawfully
  • Where the person objects and there is no overriding legitimate interest to continue the processing

Refusing requests for erasure of data

The right to erasure is balanced against other interests, however. Requests for erasure can be refused if:

  • It would infringe on freedom of expression and information
  • To comply with a legal obligation
  • For public health purposes
  • It is required for public interest, research or historical records purposes
  • In defence of legal claims

If a request for erasure conflicts with record keeping policies, for instance employee data which must legally be retained for a set period of time, then the right to erasure does not override this.

Another complicating factor is the requirement under GDPR to be accountable. Even if you are able to comply with an erasure request, you can’t simply delete all instances of a person’s name from your system and never think about them again. Any request for erasure must be tracked, including the nature of the request and the fact it was executed. It may be that some of the data can be erased, but other parts must be kept, at the very least the fact there was information held about them and this was deleted following an erasure request. This is another feature of GDPR to be aware of. The fact you cannot comply with the request in totality does not mean it should be completely rejected.

This blog is the second in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses determine between helpful guidelines and scary myths.