Data rights requests continue to be one of the most challenging areas of GDPR compliance. Last year, we published some practical tips on how to manage subject access requests. In this article, we focus on another tricky right under the GDPR – the right to deletion.
Practically speaking, deletion requests can pose challenges of their own, in particular where data is unstructured, stored in back-up servers or held by a third party. However, navigating the legal questions and understanding the extent of your obligations can also be complicated. This is especially true given a number of non-European jurisdictions have introduced similar rights to deletion under their own privacy laws (such as California). In this article, we outline a 7-step process for approaching deletion requests that will help you keep on track and ensure you handle them correctly.
Deletion requests under the GDPR
The right to deletion – more formally known as the "right to erasure" – is one of the fundamental rights under the GDPR. Under Article 17(1), an individual can request that a controller delete all of the data they hold about the individual, whether that data was originally obtained from the individual, collected from a third party, or generated by the controller themselves. It's also one of the most popular rights and individuals are increasingly keen to exercise it.
The GDPR contains two other rights that are related to the right to deletion:
- under Article 7(3), where the controller is relying on the individual's consent to process their data, the individual may withdraw their consent; and
- under Article 21(1), where the controller is relying on legitimate interests to process an individual's data, the individual may object to the processing of their data.
You can think of these rights as doppelgängers – they look similar to each other but only one of them exists in any given situation. Essentially, if you are relying on consent as your lawful basis for processing then the individual can withdraw their consent, whereas if you are relying on legitimate interests then the individual can object to the processing. Both of these rights are related to the right to deletion because they require the controller to stop processing the individual's data, which (in many cases) will mean deleting the individual's data as well. An individual can submit a withdrawal/objection request, a deletion request, or both.
It goes without saying that each of these rights has different requirements and exceptions, so things can get complicated very quickly. To make things simpler, we have broken down the questions you should be asking yourself whenever you receive one of these requests.
1. What law applies to the data?
When responding to any rights request, your first step should always be to determine what law applies to the data in question. Where are you established? And where does the request come from – the EU, UK, California or elsewhere? This question is fundamental because it dictates your legal obligations, as well as more practical matters like what verification steps you should be following and the deadline by which you have to respond.
This is true even if you are adopting a "global" approach to rights requests – in other words, you have decided to honour requests from all individuals, no matter their location and whether they actually benefit from those rights under the law. This is because the relevant law will also dictate whether you are actually responsible for dealing with the request in the first place – something we cover in the next step.
2. What is your data processing role?
Once you have identified the relevant law, you should determine your data processing role under that law. This question is equally important because, depending on the data in question, you may not actually be required – or indeed permitted – to honour the request.
Under the GDPR you may be acting as either a "controller" or "processor" of the data in question, while under the CCPA you may be a "business" or "service provider". As the "controller" / "business" of the data, you are responsible for honouring the request. By contrast, as a "processor" / "service provider" you are merely processing the data on behalf of your customer (as the "controller" / "business") and should therefore only be responding to the request with your customer's permission and in accordance with their instructions.
For many organisations, this question will be relatively straightforward. For others, it could be more complicated. This is because the concepts of "controller" / "business" and "processor" / "service provider" are not fully aligned, so in some cases you could be acting as a "service provider" under the CCPA but be considered a "controller" under the GDPR. Whatever the situation, it is important to get this right to ensure you do not act outside the scope of your customer's instructions and inadvertently step into a different data processing role.
Here, we are focusing on GDPR requests so will assume that the GDPR applies and you are the relevant controller for the data in question. You will now have to consider what you are using the data for and your legal basis for processing.
3. Are you relying on the individual's consent to process the data?
Generally speaking, the rights under the GDPR are not absolute rights and there are situations where you are not obligated to comply with a request. However, if you are relying on the individual's consent to process the data, then you will have to stop processing it for that purpose and, if requested, delete it. This is because an individual's right to withdraw consent is an absolute right and can be exercised at any time. This is why consent is often not an appropriate basis for processing – for example, if you actually need the data to provide a service to the individual or are using it for a legitimate purpose that would be compromised if you have to delete it on demand (such as if you are using the data to improve your AI algorithms and it forms an integral part of the model). If you are not relying on consent to process the data, or have some other legitimate need to retain it, then there are a number of situations where you may not be required to comply with the request.
4. Do you need the data to fulfil a contract with the individual?
The first of these situations is where you need the data to fulfil a contract with the individual, i.e. to provide a product or service that the individual has specifically requested. This would be relevant, for example, if you need the individual's email address to send them notifications and alerts about a service they have registered for. Here, you would be relying on contractual necessity as your lawful basis for processing and you still need the data to fulfil that purpose – in this situation, the GDPR allows you to continue processing the data. Just bear in mind that as soon as the data is no longer needed, you will be required to delete it.
5. Do you need the data to comply with a legal obligation?
Similarly, if you need the data to comply with a legal obligation, then you can continue to process the data and are not required to comply with the request. This would be relevant, for example, if you are required to retain employee data for tax reporting purposes or client account data for anti-money laundering purposes. Whatever the reason, you must be able to clearly identify the obligation and demonstrate that retaining the data is a reasonable and proportionate way to meet it.
6. Are you using the data for any of the "exempt purposes"?
Apart from these purposes, the GDPR also states that you do not need to comply with an objection or deletion request if you are using the data for any of the "exempt purposes". There are a number of these exempt purposes and they are spread out across Articles 23, 85 and 89. In a commercial context, the most common relate to processing which is necessary:
(a) to protect the rights to freedom of expression and information, including for journalistic, academic, artistic or literary purposes (Article 85(2));
(b) for scientific, historical or statistical research (Article 89(2));
(c) to prevent or detect crime, including fraud; (Article 23(1)(d)); and
(d) to protect the rights and freedoms of others (Article 23(1)(i))).
If you are processing the data for one of these purposes, you may be justified in refusing to comply with the request, but you must be able to demonstrate that doing so would render impossible or seriously impair the achievement of the purpose.
Ultimately, the way these exemptions apply and are interpreted are determined by Member State law rather than the GDPR itself – this is an area where Member States can derogate and set their own rules. Some countries take a more expansive view of the exemptions, whereas others take a much more restrictive view. If you think you are using data for one of these purposes, you will need to obtain local advice from the relevant jurisdiction to ensure the exemption applies and consider whether there are any additional conditions you need to comply with.
7. Are there any "overriding" or "compelling" grounds to process the data?
If you have reached this far, it means you are not relying on the individual's consent to process the data, and do not need the data to fulfil a contract, comply with a legal obligation or perform one of the "exempt purposes". Instead, you are likely processing the data for another purpose and relying on legitimate interests as your lawful basis to do so.
If this is the case, then you can only continue to process the data if you can show there are "overriding" or "compelling" grounds that outweigh the objection and deletion rights of the individual. This is articulated under Article 17(1)(c) and Article 21(1) of the GDPR. Essentially, you must be able to demonstrate that the continued use of the data is justified considering the benefits of the processing and the potential adverse effects on the individual – this is known as the "balancing test".
This may sound familiar to you, because in order to rely on legitimate interests in the first place you would have had to satisfy the balancing test under Article 6(1)(f). However, this time round things are slightly different because you must not only be able to show there are legitimate interests that lawfully permit you to process the data, but that those interests are sufficiently compelling to "override" an objection or deletion request. Essentially, the bar has been raised and the balance is weighted more favourably on the side of the individual.
The most effective way to carry out this balancing test is by completing a Legitimate Interests Assessment – or an "LIA". An LIA is essentially a risk assessment that considers the benefits of the interests pursued (which may include your interests as the controller, the interests of your customers, as well as the wider benefits to society) and the potential risks to individuals.
At present, the European Data Protection Broad has not issued any guidance on deletion or objection requests under the GDPR and regulatory guidance is fairly limited. However, a number of regulators have issued LIA templates that can be repurposed to assess the balancing test in the context of objection and deletion requests.
If you can satisfy the balancing test, then you may continue to process the data and are not required to delete it. On the other hand, if you cannot satisfy this test then you will not have a lawful basis to continue processing the data and will be required to stop processing it and, if requested, delete it altogether.
What may be clear at this stage is that dealing with deletion requests can be far from simple and the legal issues can be difficult to navigate. In an ideal world, you will have already thought through these questions before you receive a request, rather than having to consider them under the pressure of the GDPR's tight response deadlines. Suffice it to say, if you need a helping hand you know who to call.
Sign up to our email digest