GDPR and the Right to be Forgotten: Can you reject a request for erasure?

Enshrined in the GDPR is the Right to be Forgotten - The Right to Erasure. But can companies ever deny a customer's request for their data to be erased?

In an ongoing series, MyCustomer speaks with a panel of experts to try to bring clarity to some of the more opaque areas of the impending General Data Protection Regulation (GDPR).

So far, we have explored repermissioning - specifically, how to know if you need to repermission your customers for consent to continue using their data, and best practices for repermissioning.

We have also examined the issue of “legitimate interest”, with our team of experts answering what legitimate interest is and how to know if your use of data qualifies.

Now the panel is turning its attention to the right to be forgotten. In the last article, they discussed how to process requests for erasure. 

And in this follow-up piece, the panel explores the exceptions to the right to be forgotten - if you can ever reject a request for erasure. 

Victoria Tuffill

First of all, the right to erasure is not a blanket right - it only applies in certain circumstances:

• If the data is no longer necessary to meet the purposes for which they were originally collected.
• If the data subject has previously given consent for processing and withdraws or has withdrawn that consent (as long as there is no other legal basis for the processing).
• If the individual uses his or her right to object to the processing.
• If the way the data was collected in the first place was not legal.
• If there is a legal reason for the data to be erased.
• If the data was collected when the individual was a child.

As long as any of the above conditions are met, the individual has the right to have their data erased. But there are exceptions where the data either may or must be retained. For example if the processing is necessary:

• To exercise the right to freedom of expression;
• For compliance with a legal obligation (for example, banks must retain data for seven years and such data is not subject to the right to be forgotten);
• For reasons of public interest in the area of public health - for scientific,or historic research in the public interest; or;
• To support legal claims.

A tricky area is the matter of backup data where it may require disproportionate effort and cost to "forget" an individual. Organisations are allowed to keep a record of the fact that a specific individual has been "forgotten", and some companies are using that "forgotten" file as a suppression file should a backup flie need to be used to restore data that has been lost, deleted or corrupted. But back up files should, as a matter of best practice, be kept offline as there is really no requirement for back up data to be kept live or online. 

Kim Smouter, the head of government affairs at ESOMAR 

Can you ever reject a request for erasure? Absolutely! But under strict conditions, firstly it is possible to refuse a right to be forgotten if the information is necessary in the exercise of the right of freedom of expression and information, this is particularly important for news sites and journalists who potentially faced requests to remove articles that the data subject may wish to see unpublished.

Additionally, there are exemptions foreseen if the data collection took place in order to comply with legal obligations or in the exercise of official authority for the public interest. A general public interest exemption also exists, for archiving purposes in the public interest, and for scientific research purposes and statistical purposes as well.

Another exemption applies if the data is necessary in the exercise or defense of legal claims, this too can be grounds for rejecting the request.

And finally, the other reason to refuse such a request is if the data itself has been anonymized in such a way that you cannot link the information back to the data subject.

Nonetheless it will always be up to the organization to demonstrate the existence of such conditions to reject which could then be subject to scrutiny by a DPA should a complaint result from the rejection of the request.  

Paul Laughlin, founder, Laughlin Consultancy

There are situations in which it is reasonable to reject a request (or only partially fulfil it). Some are already clear, others are in that ‘grey area’, on which the ICO will probably decide case by case.

We are already clear as to a few reasons why you could legitimately reject a request:

• The data subject cannot evidence that they are who they claim to be (or have authority from that data subject), e.g. passport, etc.
• You have a professional duty to still hold that data (official authority, public interest or defence of legal claims), e.g. tax records, insurance claims, etc.
• It is in the public interest to still hold that data (more relevant for public bodies or journalists), e.g. freedom of expression, public right to know, etc.
• A public health basis (more relevant for those public health bodies, pharmaceuticals etc), e.g. data on infections, potential indicators, etc.

With regards to my aforementioned ‘grey areas’, I would suggest the following needs to be clarified:

• Should you continue to hold data to honour a marketing (or profiling) suppression, even if deleting other personal data?
• Should you continue to hold data, in a pseudonymised form, for analysis & predictive models that benefit other customers?
• Should you continue to hold data, where doing so has historically been best practice as set down by professional bodies (accountants, etc)?

Having said that, most cases will probably be legitimate and businesses need to prepare themselves for the spirit of this regulation. If the customer no longer wants you to hold their data, then no amount of commercial benefit for you is a defence against not honouring their ‘right to be forgotten’.