This is how companies should proceed with a deletion request
Up to this point, we have looked at deletion requests from the perspective of data subjects. Now it’s about the company’s point of view: What is the ideal reaction to a request for deletion? First of all, it should be noted that the law does not provide any precise specifications for the “how” of the deletion. In addition to Article 17 of the GDPR, the principles of help with right to be forgotten data processing as formulated in Article 5 of the regulation are relevant here for orientation.
The request must be checked before it can be deleted. The following list of questions can help:
• Is the request legitimate? The first step here is to verify the identity of the person who submitted a request for deletion. If there is reasonable doubt, the company should request further information.
• Is there an obligation to delete? The response to the query is not simple. The right to erasure may conflict with storage obligations – for example for tax reasons or in the case of patient files from doctors.
If both questions can be answered positively, companies are obliged to delete them “immediately” according to the GDPR. What does that mean in practice? A professional extinguishing concept is well suited. “Immediately” is then to be understood in such a way that companies do not culpably delay the deletion as part of their usual technical and organizational processes.
However, it is also generally accepted that for technical reasons not every deletion with a mouse click works. This applies, for example, to backups, which may take months to delete. However, the following deadline plays an important role: Whether the data has already been deleted, the deletion process is ongoing or there are reasons against deletion: companies must inform the applicant within one month about the measures they have taken, free of charge.
Data Deletion Exceptions
The GDPR formulates several reasons that can be brought against a request for the deletion of personal data. These include the right to freedom of expression and information, legal obligations that require processing (such as tax-relevant documents or medical records), public interests or the establishment, exercise or defense of legal claims.
In individual cases, there are often balancing decisions. For example, the Federal Court of Justice (BGH) rejected an action for deletion against the search engine provider Google. Here, the former manager of a welfare association wanted to ensure that negative news for him was no longer linked to a search for his name. In contrast, the BGH ruled that the public interest in the reporting prevailed.
The right to erasure is one of the most important achievements of the GDPR. A bit of trust is part of it – because in the information age, who can really know for sure whether the last backup copy of a data set has been deleted? Nevertheless, our little self-test shows that the regulation works gdpr case studies. “Every citizen has the right to “not be forgotten.”