May 15, 2018

GDPR’s Most Frequently Asked Questions: Does a Company’s Reason for Processing Information Impact Whether It Must Delete it?

BCLP

+ Follow Contact

Send

Embed

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.

Question: Does a company’s reason for processing information impact whether it must honor a right to be forgotten request?

Answer: Yes.The right to be forgotten is not an absolute right and must only be honored in a narrow set of circumstances.

When determining whether a right to be forgotten request must be honored one of the factors that companies look to is why they collected the information in the first place, and their purpose in continuing to use it. The GDPR recognizes six situations in which a company may process personal data. When processing is based on some of those situations, referred to as permissible purposes, a request to be forgotten may always be denied; when processing is based on other permissible purposes a request to be forgotten may, or may not, need to be honored depending upon additional factors.

The following chart indicates which permissible purposes confer which substantive rights on individuals, and highlights those that relate to the right to be forgotten. A “Y” indicates that an individual’s request may have to be honored; a “X” indicates that in almost all situations an individual’s request can be denied.

Permissible Purpose	Right to be forgotten	Right to Access data	Right to data portability	Right to rectification	Right to object to processing
Consent (i.e., Article 6(1)(a))	Y	Y	Y¹	Y	Y²
Contract (i.e., Article 6(1)(b))	Y	Y	Y³	Y	X
Compliance with legal obligation (i.e., Article 6(1)(c))	X	Y	X	Y	X
Protecting vital interest of data subject (i.e., Article 6(1)(d))	Y	Y	X	Y	X
Public interest (i.e., Article 6(1)(e))	Y⁴	Y	X	Y	Y
Legitimate interest of controller (i.e., Article 6(1)(f))	Y⁵	Y	X	Y	Y

1. Note that processing must also be carried out by automated means in order for right to apply. GDPR, Article 20(1)(b).

2. Although an individual does not have a right to object pursuant to GDPR Article 21, they do have a right to withdraw consent pursuant to GDPR Article 7(3).

3. Note that processing must also be carried out by automated means in order for right to apply. GDPR, Article 20(1)(b).

4. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.

5. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

BCLP

Contact + Follow

less

Published In:

Corporate Counsel

+ Follow

Data Controller

+ Follow

Data Privacy

+ Follow

General Data Protection Regulation (GDPR)

+ Follow

Personal Data

+ Follow

Right to Be Forgotten

+ Follow

Young Lawyers

+ Follow

General Business

+ Follow

Privacy

+ Follow

less

BCLP on:

GDPR’s Most Frequently Asked Questions: Does a Company’s Reason for Processing Information Impact Whether It Must Delete it?

Related Posts

Written by:

Published In:

BCLP on:

"My best business intelligence, in one easy email…"