GDPR - Data portability and Data Deletion

Mark Meer

Trusted Information Resource
Trusted
#1
Another General Data Protection Regulation (GDPR) topic for discussion:

From various sources I've been reading, the subject data is spoke like they have a right to ownership of their personal data collected/stored by a controller.

If this is the case, am I, as a controller, allowed to simply delete data without notifying the subjects?

For example, I maintain a customer database with names, addresses, and email correspondence history. At some point we decide to purge the database of all customers that have not been active for more than 3 years. Am I required to notify all these customers? ...what happens if, hypothetically, one of these customers then came to me an requested portability of their data under the GDPR?

As I read more about the GDPR, there are so many grey-area hypothetical situations I'm conjuring up, it'll be interesting to see how the regulations will be enforced in practice...
 

FoGia

Quite Involved in Discussions
#2
Why would it be a problem to delete the data? From a GDPR standpoint you are effectively reducing the privacy risks by removing the information. You can do that as a controller without notifying the people involved. Btw this is considered good practice since you're removing data that are no longer of use (principles laid out in Art. 5).

Yes you're bound to data portability, but if there's no data, then there's nothing to transfer.
 

Ian_Morris

Involved In Discussions
#3
It depends on what basis you are holding the information.
If it is on a consent basis only, i.e. a marketing database, then deleting it should not be a problem, provided you keep records of people that had refused or removed permissions previously to ensure that you do not inadvertently communicate with them in the future.
If it is being kept for contractual, or legal purposes then clearly you cannot simply delete it, as it is necessary for the purpose intended.
 

Mark Meer

Trusted Information Resource
Trusted
#4
...From a GDPR standpoint you are effectively reducing the privacy risks by removing the information....
The question is: is this a data privacy regulation, or a data protection regulation? (the name would seem to imply the latter)

If privacy is the ultimate intent, then I agree with you. Deleting someone's data certainly reduces privacy violation risk.

If, however, the regulation is framed/interpreted in a sense that persons have a right to their personal data, and hence the data must be appropriately protected, and they should be able to exercise a certain degree of ownership, then I could see how deleting without notification could be potentially an issue.

We'll see how it plays out in the future I guess...
 

Ian_Morris

Involved In Discussions
#5
It is both really.

It starts with privacy (the wording actually includes the statement privacy by design), but once you have it there is a duty of care to protect it.
 

FoGia

Quite Involved in Discussions
#6
As a controller you (have to) define the terms with which the data gets to be stored, collected, archived accessed but also removed. You have to define a retention period for instance after which the data must be deleted and the modalities of the deletion. As a controller there are no obligations to inform someone that you are going to remove their data from your system(unless of course you are bound by an agreement to do so or if you're obliged by law to do it - but that falls outside the GDPR requirements).
If someone asks for their data after the retention period has exprired, you're in your right to simply say 'sorry I don't have that data'.

Where I have a question myself is what kind of trail the company needs to keep in order to demonstrate that the deletion process has been implemented correctly. I would imagine keeping a log of number of deletions but of course there will be no way to tell the requestor "your record was part of our database but was deleted on XXXX".
 

Ian_Morris

Involved In Discussions
#7
Before you get to the point of the activities you describe, as the controller you have to determine what personal information is absolutely necessary for the purpose that you need it for and advise the individual of the same.
You also have to determine whether you keep a documented record of what information you will have and how it will be handled through its life-cycle (this is a legal requirement if you have more than 250 employees).

With regards to deletion of the data, this should be included within your record and / or control of records and retention policies. I am not aware of any requirement to advise someone that you have deleted their information when it is no longer required, it works on the basis that you have information or you don't.

In the event that they make a subject access request and confirm that you do not hold any personal information for them, there is the possibility that they may complain to your regulator. It will be important to show that you have done a proper search of your systems to have confirmed that you do not hold any information.
 
Top