GDPR - Right to be forgotten
Comments
-
-
Well, I wasn't intending to get into a discussion about the wordology, but...
From the ICO guidelines.
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/At a glanceAnd from the EU legislation itself:- The GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as "the right to be forgotten".
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/can-i-ask-company-delete-my-personal-data_enThis right also applies online and is often referred to as the "right to be forgotten".So, the "right to be forgotten" is specifically mentioned in the legislation.
Note that both cases do not state that the "right to be forgotten" only applies to online information, nor do they define what "online" means, for example the above EU official page also gives an example of a bank holding information after you switch accounts, which certainly goes beyond "internet search engines, etc.".
Further, the EU page does not mention the term "Right to erasure", so it would seem to be no more precise or exact than "Right to be forgotten".0 -
That really has yet to be determined. Like many other things, it will require an element of practice or case law to decide things. The ICO is neither "law" nor God. Some of our employers (actually a lot of them) are required to keep records that would count as personal information for ten years after the end of funding - so, effectively, until 2032. Failure to do so would entail the potential loss of £ millions to public authorities. But there's no law that says they can do that - it's policy. I don't think anyone cares what the ICO thinks of that. They'll keep those records and fight it in court if the ICO thought differently. The ICO is not the final arbiter. The law is. And "the law" is a court of law.Undervalued wrote: »Yes, but that doesn't trump the GDPR requirements. The policy might say 10 years or even indefinitely but if the law (in the form of the ICO) thinks that is excessive the company can't rely on the policy.0 -
That really has yet to be determined. Like many other things, it will require an element of practice or case law to decide things. The ICO is neither "law" nor God. Some of our employers (actually a lot of them) are required to keep records that would count as personal information for ten years after the end of funding - so, effectively, until 2032. Failure to do so would entail the potential loss of £ millions to public authorities. But there's no law that says they can do that - it's policy. I don't think anyone cares what the ICO thinks of that. They'll keep those records and fight it in court if the ICO thought differently. The ICO is not the final arbiter. The law is. And "the law" is a court of law.
And that is part of the question:- If law "A" says one thing and law "B" says another, which wins?
- If company policy says one thing and the law says another, which wins?
- Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)?
- What if an employee was involved in corporate espionage, but they had their access records deleted?
- Does the right to be forgotten trump other laws and business common-sense?
- If a company asks your approval to store data under GDPR and you later rescind that approval, what happens?
- What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)?
0 -
For many years my insurance company says I need to keep my employer's liability certificate for 40 years! I'm presuming that is in case somebody decides to make a case against my business many years down the line. In which case I need to keep details of who those employees are for 40 years, otherwise how could I prove one way or another that a claimant was ever actually employed by my business?Make £2024 in 2024
Prolific to 29/2/24 £184.97, Chase Interest £11.88, Chase roundup interest £0.18, Chase CB £16.96, Roadkill £1.10, Octopus referral reward £50, Octopoints £6.30 to 31/1/24, Topcashback £4.64, Shopmium £3
Total £279.03/£2024 13.8%Make £2023 in 2023Water sewerage refund: £170.62,Topcashback: £243.47, Prolific: to 31/12/23 £975, Haggling: £45, Wombling(Roadkill): £6.04, Chase CB £149.34, Chase roundup interest £1.35, WeBuyBooks:£8.37, Misc sales: £406.59, Delay repay £22, Amazon refund £3.41, EDF Smart Meter incentive £100, Santander Edge Cashback-Fees: £25.14, Octopus Reward £50, Bank transfer incentives £400Total: £2606.33/£2023 128.8%0 -
And the answer is - we'll have to wait and see. Like anything else. It isn't until a situation arises and someone fights it that we begin to unravel such questions.And that is part of the question:- If law "A" says one thing and law "B" says another, which wins?
- If company policy says one thing and the law says another, which wins?
- Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)?
- What if an employee was involved in corporate espionage, but they had their access records deleted?
- Does the right to be forgotten trump other laws and business common-sense?
- If a company asks your approval to store data under GDPR and you later rescind that approval, what happens?
- What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)?
0 -
This is not actually a 'right to erasure' question.
It is more a question of how the requirements in the GDPR in relation to the retention and use of personal data apply to employers. These requirements apply regardless of whether the right to erasure has been exercised.
The GDPR requires, among other things, that the personal data kept by employers must only be collected for specified and legitimate purposes; must be relevant; must not be kept longer than necessary; and so on. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.
There are some types of information about employees which employers cannot (lawfully) justify retaining for more than short periods. Some employee monitoring/surveillance type systems have to be deleted pretty quickly - that has all been litigated extensively.
But many other types of employee data can lawfully be kept for much longer periods, regardless of whether the employee consents or not. The usual justification is that the employer will need records if the employee was to bring a legal claim against the employer.0 -
And that is part of the question:
- If law "A" says one thing and law "B" says another, which wins? Doesn't really happen in reality.
- If company policy says one thing and the law says another, which wins? Clearly, the law wins. Companies can't trump law with their internal policies.
- Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)? Yes, there are. Though HMRC can only look back 7 years or 20 years in cases of fraud, so I doubt that tax information could legally be kept forever.
- What if an employee was involved in corporate espionage, but they had their access records deleted? I don't understand.
- Does the right to be forgotten trump other laws and business common-sense? Laws generally all have to be followed. Yes, law trumps business common sense obviously. You can't just decide by yourself to ignore the law - unless the law has a specific exemption in it.
- If a company asks your approval to store data under GDPR and you later rescind that approval, what happens? Then the company can no longer rely on "consent" to store the data. The company may be able to retain the data if it can find another legal justification for keeping the data. There are a number of legal justifications to rely on for processing personal data, consent of the data subject is merely one possible option.
- What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)? The GDPR applies to these organisations, but the GDPR (and the UK specific Data Protection Act 2018) contain specific exemptions applicable to law enforcement and similar sorts of organisations, exempting them from some (but not all) of the GDPR restrictions.
All of this stuff has been litigated extensively.
Most of these things are not simply a matter of letting the judge decide. There is settled law on most of this stuff giving a clear legal answer.
A key point to understand is that the GDPR is really not very different to the data protection legislation we have had for many years. It is simply that the GDPR has tightened things up a bit and massively increased the possible fines, so people are starting to pay a bit more attention.0 -
I've been wondering about GDPR and the Right to be forgotten if you leave an employment...
If you withdraw your consent for the company to retain your information under GDPR, must all information about you be removed or are there some items of information which the employer must retain?
Why do you want to be forgotten by your ex employer?0 -
The right to be forgotten is not absolute. If a company has a legal basis to process information then they can.
The company does not need your consent to process personal data if there is another legal basis under which they can process it. Therefore there is no consent that you can withdraw. This is how the NHS gets away with sharing patients' personal data without consent.I consider myself to be a male feminist. Is that allowed?0
This discussion has been closed.
Categories
- All Categories
- 343.2K Banking & Borrowing
- 250.1K Reduce Debt & Boost Income
- 449.7K Spending & Discounts
- 235.3K Work, Benefits & Business
- 608K Mortgages, Homes & Bills
- 173.1K Life & Family
- 247.9K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards