To delete, or not to delete, that is the question

When can a private person request that their data be deleted?

According to the revFADP, the Right to Erasure can only be exercised if the relevant personal data are no longer needed for the purpose for which they were collected and if no other requirements oppose the right (e.g. tax data, invoice tracing, reporting requirements, and archiving). 

How to deal with requests concerning the Right to be Forgotten?

Individuals can make a request for erasure orally or in writing. In general, the process must be completed within 30 days. The period is extended by 30 days if a company has not yet succeeded in providing the data.

If the right to be forgotten is exercised, companies must be able to delete the relevant data at the first attempt. But this requirement may not always be easy to fulfil due to limited system capabilities. In fact, existing systems are often limited in terms of deleting data, one reason being that the relevant data may play a significant role in data integrity. Moreover, the complexity of the company’s system architecture and the number of affected systems may make it difficult to meet the request.

What solutions does the revFADP offer?

The aim is to prevent data from being misused or (re)used for purposes other than those to which the data subject originally consented. Strategies should be developed to enable effective control of personal data by data subjects. Hence, Privacy by design (protection of privacy during development) and Privacy by default (privacy-friendly default settings) should be implemented.

How should you react to limited deletion capacities?

Most companies use fragmented system architectures and do not have unified and/or holistic system inventories. Data are saved not only on local hardware, but also on cloud services. As a result, the exact place where data are saved and processed (e.g. the precise data sources as well as how and when outdated data is archived) are often not evident. Therefore, the ability to execute the Right to be Forgotten poses some challenges.

A strategic and automated deletion functionality thus requires the following:

1. Determining which applications process which attributes
2. Linking the attributes to the data taxonomy to determine the purpose and the legal basis
3. Identifying the data source of each application
4. Cleaning up archives
5. Updating data policies
6. Defining requirements to ensure that data are deleted when archived
7. Defining requirements for the archive so that the legal retention period of the attributes is considered and aligned with the purpose and legal basis for processing/holding
8. Defining requirements for deletion of personal data in the archive system, and
9. Ensuring that there is no overlap of personal data between the archive and operational applications

How do you securely delete personal data?

Before destroying or deleting data, a company must ensure that all relevant rules and requirements for the secure disposal of electronic data have been met.

Simply using a delete command without additional measures leaves data which are easily recoverable. Therefore, you should perform frequent disaster recovery exercises to strengthen the readiness within your company.
In fact, there are two basic methods to irretrievably erase data. On the one hand, you can either physically destroy, demagnetise storage mediums or overwrite the relevant data. On the other hand, it is also possible to anonymise the dataset thus making it impossible to reidentify individuals from it.

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en