One of the GDPR questions that is repeatedly asked concerns the application of the ‘Right to Erasure’ (also referred to as the Right to be Forgotten) to archived data in the form of backups.
To recover backups from storage so that an individual’s information can be deleted from each one is far too onerous a task, particularly when an organisation deals with large datasets and is likely to receive more than an occasional request of this nature.
There is still some confusion regarding three ‘rights’ which are quite similar in principle but which serve different purposes and merit a short explanation:
The Right to Erasure – Art. 17 GDPR
The Right to Restriction of Processing – Art. 18 GDPR
The Right to Object – Art. 21 GDPR
Each of these rights can be applied only within a particular set of circumstances relating to an individual right.
Right to Erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Right to Restriction of Processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to Object
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
At this point it’s probably a good idea to point out that both the Right to Object and the Right to Restrict Processing apply specifically to the processing of data and not necessarily its complete erasure, even if one or more of the principles attached to each right apply. This leaves only the matter of the Right to Erasure, which requires a little digging into the legislation to identify how it might apply to archived data.
According to Art. 4 GDPR, a ‘filing system’ means any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis.
Compliance with a Legal Obligation (Data Controller)
Recital 65 allows that:
The further retention of the personal data should be lawful where it is necessary for compliance with a legal obligation (paraphrased).
The Legal Position
If archived or stored data no longer meets the criteria of a ‘filing system’ because they are not sufficiently accessible to qualify, the Data Controller’s legal obligation to ensure that a Data Subject’s information is erased, following the exercising of their Art. 17 Right to Erasure, means that retention of the personal data is allowable for the purpose of erasing it from any backup or archive.
We know from Recital 59 that:
- Controllers should have a system (“modalities”) in place to deal with requests from data subjects exercising their GDPR rights and
- Such requests must receive a response without “undue” delay and, “at the latest within one month”. If the controller does not intend to comply with the request because they have a right to refuse, then they must advise the data subject within the same time frame giving their reasons for this.
- With very limited exceptions (such as SAR requests which are “manifestly unfounded”) controllers must deal with requests without any charge to data subjects
What this does mean is that controllers will need a cost-effective and efficient system that can deal with responses to data subjects exercising their GDPR rights.
In addition, if you have disclosed the personal data in question to any third party, then you must inform that third party of, as applicable, the erasure or restriction unless it is impossible to do so or “involves disproportionate effort”.
The real test therefore may relate to that which is impossible or “involves disproportionate effort” and will depend on the individual circumstances.
When the Data Protection Bill is finalised it may hold some answers. Certainly, Lord Storey has made it very clear that “terminology needs to be clearly defined, not left open to later judicial interpretation. For example, if a right is to be denied on the basis that complying with it would involve disproportionate effort, there needs to be a definition of “proportionate”.
Alternatively, it may be left for the Data Controller to determine what will constitute an impossibility of situation or “disproportionate effort”.
The other test will be to determine what constitutes undue delay, which will need to be subjected to a ‘reasonableness test’ in the courts which will, in turn, depend on several factors including:
- Size of the organisation
- Volume of Data Subjects
- Nature of the data
- Frequency of Art. 17 events
- Difficulty involved in erasing an individual record from archive
It’s unlikely that the Data Protection Bill will hold all of the answers, so it remains for the Data Controller to determine what will constitute a reasonable delay. If you’re lucky enough to have access to a Data Protection Officer who can interpret your position based on the nature of your operation, that would be a good conversation to have.
ByBob Edwards, GDPR and CyberCrime consultant, Lawhound
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/