GDPR - Data portability and Data Deletion

Mark Meer

Trusted Information Resource
#1
Another General Data Protection Regulation (GDPR) topic for discussion:

From various sources I've been reading, the subject data is spoke like they have a right to ownership of their personal data collected/stored by a controller.

If this is the case, am I, as a controller, allowed to simply delete data without notifying the subjects?

For example, I maintain a customer database with names, addresses, and email correspondence history. At some point we decide to purge the database of all customers that have not been active for more than 3 years. Am I required to notify all these customers? ...what happens if, hypothetically, one of these customers then came to me an requested portability of their data under the GDPR?

As I read more about the GDPR, there are so many grey-area hypothetical situations I'm conjuring up, it'll be interesting to see how the regulations will be enforced in practice...
 
Elsmar Forum Sponsor

FoGia

Involved In Discussions
#2
Why would it be a problem to delete the data? From a GDPR standpoint you are effectively reducing the privacy risks by removing the information. You can do that as a controller without notifying the people involved. Btw this is considered good practice since you're removing data that are no longer of use (principles laid out in Art. 5).

Yes you're bound to data portability, but if there's no data, then there's nothing to transfer.
 

Ian_Morris

Involved In Discussions
#3
It depends on what basis you are holding the information.
If it is on a consent basis only, i.e. a marketing database, then deleting it should not be a problem, provided you keep records of people that had refused or removed permissions previously to ensure that you do not inadvertently communicate with them in the future.
If it is being kept for contractual, or legal purposes then clearly you cannot simply delete it, as it is necessary for the purpose intended.
 

Mark Meer

Trusted Information Resource
#4
...From a GDPR standpoint you are effectively reducing the privacy risks by removing the information....
The question is: is this a data privacy regulation, or a data protection regulation? (the name would seem to imply the latter)

If privacy is the ultimate intent, then I agree with you. Deleting someone's data certainly reduces privacy violation risk.

If, however, the regulation is framed/interpreted in a sense that persons have a right to their personal data, and hence the data must be appropriately protected, and they should be able to exercise a certain degree of ownership, then I could see how deleting without notification could be potentially an issue.

We'll see how it plays out in the future I guess...
 

Ian_Morris

Involved In Discussions
#5
It is both really.

It starts with privacy (the wording actually includes the statement privacy by design), but once you have it there is a duty of care to protect it.
 

FoGia

Involved In Discussions
#6
As a controller you (have to) define the terms with which the data gets to be stored, collected, archived accessed but also removed. You have to define a retention period for instance after which the data must be deleted and the modalities of the deletion. As a controller there are no obligations to inform someone that you are going to remove their data from your system(unless of course you are bound by an agreement to do so or if you're obliged by law to do it - but that falls outside the GDPR requirements).
If someone asks for their data after the retention period has exprired, you're in your right to simply say 'sorry I don't have that data'.

Where I have a question myself is what kind of trail the company needs to keep in order to demonstrate that the deletion process has been implemented correctly. I would imagine keeping a log of number of deletions but of course there will be no way to tell the requestor "your record was part of our database but was deleted on XXXX".
 

Ian_Morris

Involved In Discussions
#7
Before you get to the point of the activities you describe, as the controller you have to determine what personal information is absolutely necessary for the purpose that you need it for and advise the individual of the same.
You also have to determine whether you keep a documented record of what information you will have and how it will be handled through its life-cycle (this is a legal requirement if you have more than 250 employees).

With regards to deletion of the data, this should be included within your record and / or control of records and retention policies. I am not aware of any requirement to advise someone that you have deleted their information when it is no longer required, it works on the basis that you have information or you don't.

In the event that they make a subject access request and confirm that you do not hold any personal information for them, there is the possibility that they may complain to your regulator. It will be important to show that you have done a proper search of your systems to have confirmed that you do not hold any information.
 
Thread starter Similar threads Forum Replies Date
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
MrTetris GDPR - General Data Protection Regulation - Only applicable to EU data? Other ISO and International Standards and European Regulations 6
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
L GDPR scope - "Personal data" definition - General Data Protection Regulation EU Medical Device Regulations 5
S GDPR (General Data Protection Regulation) - My company is ISMS certified IEC 27001 - Information Security Management Systems (ISMS) 3
W EU GDPR General Data Protection Regulation - What we need to update for our QMS EU Medical Device Regulations 14
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
M GDPR - Is anonymizing sufficient to address right to erasure? Medical Information Technology, Medical Software and Health Informatics 3
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
J Need Help with FPY Data in Assembly Process Manufacturing and Related Processes 7
Q AMS 2750 E or F Continuous Furnace TUS Data Collection AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
M Reduce occurrence rating based on the PMS data and customer complaint data ISO 14971 - Medical Device Risk Management 2
J Customer Complaint & SCAR, false data Nonconformance and Corrective Action 14
Brizilla Employee Data Privacy Policy - ISO 9001:2015 requirement(s)? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
D Safety data sheets software REACH and RoHS Conversations 2
M Data Protection and Privacy Policy - looking for a template/example EU Medical Device Regulations 1
S Non parametric test for semi-quantitative data. Statistical Analysis Tools, Techniques and SPC 5
M Disabling measurement data during fault conditions IEC 60601 - Medical Electrical Equipment Safety Standards Series 5
C EU MDR - Annex II 6.1 Pre-clinical and clinical data EU Medical Device Regulations 4
P Ppk results shown as asterisk after the transformation of Non-normal data Using Minitab Software 4
lanley liao How to correctly understand the bullet list d) of 6.3 Analysis of Data for API Spec Q1 Oil and Gas Industry Standards and Regulations 7
Steve Prevette Informational I am presenting a webinar Thursday - "Data Driven Decision Making" - 19 November 2020 Statistical Analysis Tools, Techniques and SPC 5
qualprod Best practice to ensure inputting of data in production Lean in Manufacturing and Service Industries 19
D Preservation of Electronic Data / Information Technology ISO 13485:2016 - Medical Device Quality Management Systems 5
M Comparing data from destructive testing Inspection, Prints (Drawings), Testing, Sampling and Related Topics 7
DuncanGibbons Technical Data Package vs Digital Product Definition APQP and PPAP 0
Z Putting back excluded rows/data points in a control chart Using Minitab Software 0
F General Data Protection Regulation (GDRP) CE Marking (Conformité Européene) / CB Scheme 6
Z Minitab - Updating Graph with specific data points Using Minitab Software 2
E PEMS Hazards - IEC 60601 Clause 14.6 - Internal data use - Pressure sensor IEC 60601 - Medical Electrical Equipment Safety Standards Series 3
K Transform variable data into attribute data Reliability Analysis - Predictions, Testing and Standards 24
R Clinical evaluation without clinical data - MDR Article 61(10) EU Medical Device Regulations 8
H Capability Data for Paint Thickness on Painted Parts Statistical Analysis Tools, Techniques and SPC 10
D BS EN 62304 - Medical-Relevant Data C.5 - Definition of IEC 62304 - Medical Device Software Life Cycle Processes 5
T Submitting MR Compatibility Data for 510(k) Cleared Device Other Medical Device and Orthopedic Related Topics 2
S Quality manager considering data science Quality Manager and Management Related Issues 19
A What are Practical data center best practices IEC 27001 - Information Security Management Systems (ISMS) 1
U Do we need clinical trial data for Class IIa medical device under MDR EU Medical Device Regulations 7
S Average and standard deviation of Cumulative Data Statistical Analysis Tools, Techniques and SPC 5
V IS/ISO/IEC 17025:2017 Clause 7, sub clause 7.11 Control of data and information management ISO 17025 related Discussions 1
Watchcat CERs Literature Databases - Searching for data to evaluate EU Medical Device Regulations 16
D Transformation of Data Normality Failed Using Minitab Software 11

Similar threads

Top Bottom