GDPR and The Right To Be Forgotten / Right Of Erasure

Transcript of the Video

Good afternoon, ladies and gentlemen. Suzanne Dibble here, data protection law expert, coming to you raw and uncut. Today, I want to talk to you about opt-outs and the right to erasure, or the right to be forgotten because there's been a lot of comments in the group, and questions in the group about “what happens if somebody opts-out?” Does that mean you have to delete all of their data? What if somebody writes to you and requests the right to be forgotten? What can you keep and what can't you? I just wanted to take you through that because well it's important to get it right really, okay.

Article 17 is all about the right of erasure, or the right to be forgotten. Now, this is where you are, as the name suggests, forgetting that data subject, and erasing the vast majority of the data. Now that's slightly different to an opt-out. If you have relied on consent as a ground for processing and that person opts-out of that marketing and that person opts-out from receiving your emails then that is not the same as a right to be forgotten because obviously what you need to have on a record is that person has opted-out because you don't want ... There might be some other reason why how their name finds its way into your database. You want to be able to know that they have said I don't want to receive those marketing emails.

So, what about the right to be forgotten? Now, this is where the data subject can write to you and say, "I want to exercise my right to be forgotten." If he or she does that, then the controller has you as the data controller, i.e., the person controlling the data. You have the obligation to erase personal data without undue delay where one of the following grounds applies, okay so it's not an absolute. Firstly, if the personal data is no longer necessary in relations to the purposes for which they were collected or processed, and in reality, you should be looking at deleting that data anyway because of the data minimization principle.

The second one is, if the data subject withdraws their consent on which the processing is based and where there's no other legal ground for the processing. Like I say, if you'd gone to the data subject and asked for their consent for a particular purpose, i.e., you're going to send them promotions about your goods and services, and they withdraw that consent, then if there's no other ground for processing that data you should delete it. Now, like I've already said, the other ground ... if somebody withdraws their consent for marketing you want to be able to retain the data, to retain certain elements of the data so that you don't ... If they for some reason end up on your list again, so that you don't send them marketing messages that they said they don't want to receive.

In that instance, what would be a legal ground of processing probably legitimate interests? It would be in your legitimate interest to make sure that you're not going to be annoying your customers by sending them information that they've actively requested that you don't send them. Is there an impact to their rights and freedom as well? No, because it's giving them what they've wanted. Chances are: you can rely on legitimate interests to retain the minimum amount of data that you need in order to enable you not to send out marketing emails to those people who have said that they wanted to opt-out of it. Okay, then there are four other grounds, which aren't really relevant so I'm not going to go through those.

Now, the other thing to note is that a lot of people, again in the group, have said, "But hang on a minute. I can't erase all the data because I need to keep things for legal reasons. I need to keep it for my insurance. Surely, I don't need to delete it all because that wouldn't make sense at all, would it?" Happily, there is a section in article 17 that deals with exactly that. It says that paragraphs one and two, which are the paragraphs about saying that the controller has the duty to comply with the right to be forgotten in certain instances. Paragraph one and two won't apply to the extent that the processing is necessary for compliance with an illegal obligation, or for the establishment exercise or defense of legal claims.

Now there are other exemptions there, but again they're not so relevant to us, so I'm only going to concentrate on those two. Compliance with illegal obligation, so if you have a legal obligation to keep records for a certain period of time, and do go and check out in my GDPR pack I have a document retention policy, which sets out all the legal time limits for which you've got to store documentation. In that instance, you don't need to delete those records. If you've got to hold them by law, you don't have to delete them, and for the establishment exercise or defense of a legal claim. That would be, for example, the limitation period for contractual claims is six years, so you would be keeping contracts, maybe email chains where you've been discussing elements of service, or the contractual terms, anything that would need to be produced in order to defend a legal claim or to establish or exercise a legal claim, then you are entitled to keep that too.

It isn't an absolute right to be forgotten. I think that some people have been thinking that if a prospect simply opts-out of your marketing emails you have to delete all of their data, and of course, you don't. The same applies if they're a customer. For example, and for whatever reason, they've decided that they don't want to receive your marketing emails then, of course, you have to keep their data in order to fulfill that contract. That is the legal ground for the processing that you're being relying on.

Okay, so I think that's helpful and set a few minds at rest. As always, if you have any questions on that then pop them in the comments below. Let me know what else you want me to talk about. I'm kind of running out of areas now. We've done so many videos. There's another 60 days ish. I haven't actually calculated the exact number, approximately 60 days to go. I've committed to do a video a day until GDPR comes into force, so another 60 videos to think about. If you've got a question that you think would be well-answered by the format of a video then paste it in the group and I will add it to my list. Yeah, let me know. Let me know what's concerning you, okay. Thanks for watching, guys. As always, I'll see you soon.