Employer’s Guide to GDPR Part Six – Right to Erasure
Keeping HR Simple have teamed up with Data Protection Specialist Simon Hinks. Simon works closely with businesses and charities on data protection, compliance and data auditing and helping them to understand their GDPR/DPA gaps. His hot topics include GDPR compliance and data audits, Communication audits and Customer journey audits.
We asked Simon to talk to us about the big picture of GDPR and what that means from a HR point of view. This time, we’re looking at the right to erasure.
Right to Erasure
A core principle of GDPR is accountability for personal data in particular the right to erasure. As a customer or staff member you can ask for your details to be erased. However, the right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with such a request. You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
Children’s personal data
There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments. As a business you need to create a policy which allows you to confirm the request for erasure. Once this is confirmed you are able to source all the relevant data including back ups and confirm erasure or part erasure, unless you have a good reason to retain data until a certain period in time.
More information coming soon but in the meantime if you have any questions, don’t hesitate to contact us!