Data rights requests continue to be one of the most challenging areas of GDPR compliance. Last year, we published some practical tips on how to manage subject access requests. In this article, we focus on another tricky right under the GDPR – the right to deletion.
Practically speaking, deletion requests can pose challenges of their own, in particular where data is unstructured, stored in back-up servers or held by a third party. However, navigating the legal questions and understanding the extent of your obligations can also be complicated. This is especially true given a number of non-European jurisdictions have introduced similar rights to deletion under their own privacy laws (such as California). In this article, we outline a 7-step process for approaching deletion requests that will help you keep on track and ensure you handle them correctly.
Deletion requests under the GDPR
The right to deletion – more formally known as the “right to erasure” – is one of the fundamental rights under the GDPR. Under Article 17(1), an individual can request that a controller delete all of the data they hold about the individual, whether that data was originally obtained from the individual, collected from a third party, or generated by the controller themselves. It’s also one of the most popular rights and individuals are increasingly keen to exercise it.
The GDPR contains two other rights that are related to the right to deletion:
- under Article 7(3), where the controller is relying on the individual’s consent to process their data, the individual may withdraw their consent; and
- under Article 21(1), where the controller is relying on legitimate interests to process an individual’s data, the individual may object to the processing of their data.
You can think of these rights as doppelgängers – they look similar to each other but only one of them exists in any given situation. Essentially, if you are relying on consent as your lawful basis for processing then the individual can withdraw their consent, whereas if you are relying on legitimate interests then the individual can object to the processing. Both of these rights are related to the right to deletion because they require the controller to stop processing the individual’s data, which (in many cases) will mean deleting the individual’s data as well. An individual can submit a withdrawal/objection request, a deletion request, or both.
It goes without saying that each of these rights has different requirements and exceptions, so things can get complicated very quickly. To make things simpler, we have broken down the questions you should be asking yourself whenever you receive one of these requests.
1. What law applies to the data?
When responding to any rights request, your first step should always be to determine what law applies to the data in question. Where are you established? And where does the request come from – the EU, UK, California or elsewhere? This question is fundamental because it dictates your legal obligations, as well as more practical matters like what verification steps you should be following and the deadline by which you have to respond.
This is true even if you are adopting a “global” approach to rights requests – in other words, you have decided to honour requests from all individuals, no matter their location and whether they actually benefit from those rights under the law. This is because the relevant law will also dictate whether you are actually responsible for dealing with the request in the first place – something we cover in the next step.
2. What is your data processing role?
Once you have identified the relevant law, you should determine your data processing role under that law. This question is equally important because, depending on the data in question, you may not actually be required – or indeed permitted – to honour the request.
Under the GDPR you may be acting as either a “controller” or “processor” of the data in question, while under the CCPA you may be a “business” or “service provider”. As the “controller” / “business” of the data, you are responsible for honouring the request. By contrast, as a “processor” / “service provider” you are merely processing the data on behalf of your customer (as the “controller” / “business”) and should therefore only be responding to the request with your customer’s permission and in accordance with their instructions.
For many organisations, this question will be relatively straightforward. For others, it could be more complicated. This is because the concepts of “controller” / “business” and “processor” / “service provider” are not fully aligned, so in some cases you could be acting as a “service provider” under the CCPA but be considered a “controller” under the GDPR. Whatever the situation, it is important to get this right to ensure you do not act outside the scope of your customer’s instructions and inadvertently step into a different data processing role.
Here, we are focusing on GDPR requests so will assume that the GDPR applies and you are the relevant controller for the data in question. You will now have to consider what you are using the data for and your legal basis for processing.
3. Are you relying on the individual’s consent to process the data?
Generally speaking, the rights under the GDPR are not absolute rights and there are situations where you are not obligated to comply with a request. However, if you are relying on the individual’s consent to process the data, then you will have to stop processing it for that purpose and, if requested, delete it. This is because an individual’s right to withdraw consent is an absolute right and can be exercised at any time. This is why consent is often not an appropriate basis for processing – for example, if you actually need the data to provide a service to the individual or are using it for a legitimate purpose that would be compromised if you have to delete it on demand (such as if you are using the data to improve your AI algorithms and it forms an integral part of the model). If you are not relying on consent to process the data, or have some other legitimate need to retain it, then there are a number of situations where you may not be required to comply with the request.
4. Do you need the data to fulfil a contract with the individual?
The first of these situations is where you need the data to fulfil a contract with the individual, i.e. to provide a product or service that the individual has specifically requested. This would be relevant, for example, if you need the individual’s email address to send them notifications and alerts about a service they have registered for. Here, you would be relying on contractual necessity as your lawful basis for processing and you still need the data to fulfil that purpose – in this situation, the GDPR allows you to continue processing the data. Just bear in mind that as soon as the data is no longer needed, you will be required to delete it.
5. Do you need the data to comply with a legal obligation?
Similarly, if you need the data to comply with a legal obligation, then you can continue to process the data and are not required to comply with the request. This would be relevant, for example, if you are required to retain employee data for tax reporting purposes or client account data for anti-money laundering purposes. Whatever the reason, you must be able to clearly identify the obligation and demonstrate that retaining the data is a reasonable and proportionate way to meet it.
6. Are you using the data for…
EO 14086 and the EU-U.S. Data Privacy Framework
On 7 October 2022, President Biden signed Executive Order 14086 “Enhancing Safeguard…
Schrems II Judgment Day
The Court of Justice of the European Union (“CJEU“) issued its judgment today in …
