The Cove Business Standards Discussion Forums
GDPR - Data portability and Data Deletion
Please read this thread...
Software update
GDPR - Data portability and Data Deletion
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

GDPR - Data portability and Data Deletion

Monitor the Elsmar Forum
Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
data control, gdpr (eu general data protection regulation)
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 13th June 2018, 11:38 AM
Mark Meer

 
 
Total Posts: 885
I Say... GDPR - Data portability and Data Deletion

Another General Data Protection Regulation (GDPR) topic for discussion:

From various sources I've been reading, the subject data is spoke like they have a right to ownership of their personal data collected/stored by a controller.

If this is the case, am I, as a controller, allowed to simply delete data without notifying the subjects?

For example, I maintain a customer database with names, addresses, and email correspondence history. At some point we decide to purge the database of all customers that have not been active for more than 3 years. Am I required to notify all these customers? ...what happens if, hypothetically, one of these customers then came to me an requested portability of their data under the GDPR?

As I read more about the GDPR, there are so many grey-area hypothetical situations I'm conjuring up, it'll be interesting to see how the regulations will be enforced in practice...

Sponsored Links
  Post Number #2  
Old 26th June 2018, 08:24 AM
FoGia

 
 
Total Posts: 44
Re: GDPR - Data portability and Data Deletion

Why would it be a problem to delete the data? From a GDPR standpoint you are effectively reducing the privacy risks by removing the information. You can do that as a controller without notifying the people involved. Btw this is considered good practice since you're removing data that are no longer of use (principles laid out in Art. 5).

Yes you're bound to data portability, but if there's no data, then there's nothing to transfer.
  Post Number #3  
Old 26th June 2018, 10:25 AM
Ian_Morris

 
 
Total Posts: 32
Re: GDPR - Data portability and Data Deletion

It depends on what basis you are holding the information.
If it is on a consent basis only, i.e. a marketing database, then deleting it should not be a problem, provided you keep records of people that had refused or removed permissions previously to ensure that you do not inadvertently communicate with them in the future.
If it is being kept for contractual, or legal purposes then clearly you cannot simply delete it, as it is necessary for the purpose intended.
  Post Number #4  
Old 26th June 2018, 11:35 AM
Mark Meer

 
 
Total Posts: 885
Re: GDPR - Data portability and Data Deletion

Quote:
In Reply to Parent Post by FoGia View Post

...From a GDPR standpoint you are effectively reducing the privacy risks by removing the information....
The question is: is this a data privacy regulation, or a data protection regulation? (the name would seem to imply the latter)

If privacy is the ultimate intent, then I agree with you. Deleting someone's data certainly reduces privacy violation risk.

If, however, the regulation is framed/interpreted in a sense that persons have a right to their personal data, and hence the data must be appropriately protected, and they should be able to exercise a certain degree of ownership, then I could see how deleting without notification could be potentially an issue.

We'll see how it plays out in the future I guess...
  Post Number #5  
Old 27th June 2018, 03:18 AM
Ian_Morris

 
 
Total Posts: 32
Re: GDPR - Data portability and Data Deletion

It is both really.

It starts with privacy (the wording actually includes the statement privacy by design), but once you have it there is a duty of care to protect it.
  Post Number #6  
Old 27th June 2018, 04:09 AM
FoGia

 
 
Total Posts: 44
Re: GDPR - Data portability and Data Deletion

As a controller you (have to) define the terms with which the data gets to be stored, collected, archived accessed but also removed. You have to define a retention period for instance after which the data must be deleted and the modalities of the deletion. As a controller there are no obligations to inform someone that you are going to remove their data from your system(unless of course you are bound by an agreement to do so or if you're obliged by law to do it - but that falls outside the GDPR requirements).
If someone asks for their data after the retention period has exprired, you're in your right to simply say 'sorry I don't have that data'.

Where I have a question myself is what kind of trail the company needs to keep in order to demonstrate that the deletion process has been implemented correctly. I would imagine keeping a log of number of deletions but of course there will be no way to tell the requestor "your record was part of our database but was deleted on XXXX".
  Post Number #7  
Old 27th June 2018, 04:42 AM
Ian_Morris

 
 
Total Posts: 32
Re: GDPR - Data portability and Data Deletion

Before you get to the point of the activities you describe, as the controller you have to determine what personal information is absolutely necessary for the purpose that you need it for and advise the individual of the same.
You also have to determine whether you keep a documented record of what information you will have and how it will be handled through its life-cycle (this is a legal requirement if you have more than 250 employees).

With regards to deletion of the data, this should be included within your record and / or control of records and retention policies. I am not aware of any requirement to advise someone that you have deleted their information when it is no longer required, it works on the basis that you have information or you don't.

In the event that they make a subject access request and confirm that you do not hold any personal information for them, there is the possibility that they may complain to your regulator. It will be important to show that you have done a proper search of your systems to have confirmed that you do not hold any information.
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
EU GDPR General Data Protection Regulation - What we need to update for our QMS Wolf.K EU Medical Device Regulations 10 8th June 2018 03:42 AM
GDPR scope - "Personal data" definition - General Data Protection Regulation lzanini EU Medical Device Regulations 5 6th June 2018 05:27 PM
GDPR - General Data Protection Regulation (EU and UK 2018) Trebor123 Other ISO and International Standards and European Regulations 7 20th March 2018 11:15 AM
GDPR (General Data Protection Regulation) - My company is ISMS certified smohanarangan IEC 27001 - Information Security Management Systems (ISMS) 3 6th March 2018 04:53 AM
Why historical data & benchmark data is important in APQP planning phase sushant_kulkarni APQP and PPAP 6 23rd July 2007 05:55 AM



The time now is 11:58 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"