The so-called “right to be forgotten”
Today there are things worth knowing about the “right to be forgotten” in Article 17 of the GDPR. We will show you reasons when personal information must be deleted. The “right to be forgotten” includes the obligation to delete the data of the data subject upon request. When is this specifically the case: For example, my customer would like to unsubscribe from his newsletter. In this case, a process is needed to permanently unsubscribe the customer from the newsletter and to permanently delete any data stored by the customer. Personal data must also be deleted as soon as the purpose for which the data was stored no longer exists. Personal data must also be deleted if the data subject revokes his/her consent to the processing of his/her data.
The following information is also relevant in practice: application documents/data may only be stored for three months. If an employer wants to keep them longer, he or she needs the applicant’s consent. The situation is different for payroll records: Here, a retention obligation of 10 years applies.
Care must also be taken that companies do not pass on data to third parties under any circumstances. This could result in severe fines. Get an overview of where personal data is stored and don’t forget to set up backups in a protected environment for particularly sensitive data!
Further recommendations: Define, automate and log deletion processes. This way you are on the safe side in the event of an audit and have a means of proof!