SOLVED

GDPR Right To be forgotten - is proof of deletion a requirement?

Go to solution
Highlighted
Level 2

GDPR Right To be forgotten - is proof of deletion a requirement?

Hi all,

 

We've had the ability for people from GDPR countries to request for their data to be deleted from Marketo/SFDC since GDPR kicked-in.  If they submit a form, automation deletes them from the system.  So far so good.

 

But, some within the organisation feel that we need some way to prove (in a court of law I guess) that we have indeed deleted someone we were supposed to delete.

 

My stance has been that if we keep a record of the details of the people we delete, then in fact we are still keeping their personal info, thus breaking GDRP.  And if we only keep a token such as their Marketo or SFDC id, then that becomes worthless as proof after the record has been deleted.

 

How do you all deal with this issue?

 

Thanks in advance

 

Luben

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

So in the case where a user has exercised the Right to be Forgotten  (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.

Article 12 of the GDPR states:

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject."

This means that data controllers are exempt from the fulfilment of “Users’ Rights”, where the data subject cannot be identified — as in the case where all of the user’s personal data is removed from your systems in the fulfilment of the initial request.

In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.

In practical terms, the best way to handle such a request would be to clearly inform the user (at the time of the initial request) that in fulfilling the request, all their data will be removed and that it would, therefore, be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.

Another required (in most cases)  and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities (like your delete smart campaigns) and acquisition of consent  (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfilment of User’s Rights, even if the data in question is no longer available.

 

Best,
Darshil

View solution in original post

5 REPLIES 5
Highlighted

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

So in the case where a user has exercised the Right to be Forgotten  (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.

Article 12 of the GDPR states:

"The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject."

This means that data controllers are exempt from the fulfilment of “Users’ Rights”, where the data subject cannot be identified — as in the case where all of the user’s personal data is removed from your systems in the fulfilment of the initial request.

In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.

In practical terms, the best way to handle such a request would be to clearly inform the user (at the time of the initial request) that in fulfilling the request, all their data will be removed and that it would, therefore, be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.

Another required (in most cases)  and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities (like your delete smart campaigns) and acquisition of consent  (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfilment of User’s Rights, even if the data in question is no longer available.

 

Best,
Darshil

View solution in original post

Highlighted
Level 2

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

Thanks for the speedy and detailed reply Darshil.  Much appreciated.

 

I'm not sure I follow your last two sentences though.  If I delete the record, I also delete the Opt-in reason and Opt-in Date field values, so that info is also lost.

Highlighted

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

Through Acquisition of Consent and processing activities, I did not mean that you should keep record of that for each individual user after deletion record, instead, I meant that in general it is advised to keep all the processes well documented and in-place to prove that all your processes and architecture is GDPR or respective geographical legislations complaint! 🙂

 

Best,
Darshil
Level 2

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

Right.  I'm with you Darshil.  Thanks a lot for your assistance and stay safe out there!

Highlighted

Re: GDPR Right To be forgotten - is proof of deletion a requirement?

Glad that I could help you! you too stay safe! 💪👍

Also a humble request to accept my answer as solution so that it stands resolved 🙂

 

Best,
Darshil