Your browser isn't supported
It looks like you're using an old web browser. To get the most out of the site and to ensure guides display correctly, we suggest upgrading your browser now. Download the latest:

Welcome to the MSE Forums

We're home to a fantastic community of MoneySavers but anyone can post. Please exercise caution & report spam, illegal, offensive or libellous posts/messages: click "report" or email forumteam@. Skimlinks & other affiliated links are turned on

Search
  • FIRST POST
    • prowla
    • By prowla 10th Aug 18, 3:05 PM
    • 10,089Posts
    • 8,311Thanks
    prowla
    GDPR - Right to be forgotten
    • #1
    • 10th Aug 18, 3:05 PM
    GDPR - Right to be forgotten 10th Aug 18 at 3:05 PM
    I've been wondering about GDPR and the Right to be forgotten if you leave an employment...


    If you withdraw your consent for the company to retain your information under GDPR, must all information about you be removed or are there some items of information which the employer must retain?
Page 1
    • bap98189
    • By bap98189 10th Aug 18, 3:08 PM
    • 2,955 Posts
    • 5,190 Thanks
    bap98189
    • #2
    • 10th Aug 18, 3:08 PM
    • #2
    • 10th Aug 18, 3:08 PM
    I've been wondering about GDPR and the Right to be forgotten if you leave an employment...


    If you withdraw your consent for the company to retain your information under GDPR, must all information about you be removed or are there some items of information which the employer must retain?
    Originally posted by prowla
    The right to be forgotten has nothing to do with GDPR.

    But the answer to your questions is that yes, an employer can retain a number of different records even if you write to them and try to withdraw your consent.
    • sangie595
    • By sangie595 10th Aug 18, 3:12 PM
    • 5,515 Posts
    • 9,476 Thanks
    sangie595
    • #3
    • 10th Aug 18, 3:12 PM
    • #3
    • 10th Aug 18, 3:12 PM
    The right isn't absolute. There are certain types of data which the employer must retain, or retain for specific periods of time - tax records for example. There is other information which may be advisable to retain for periods - any employer who deletes anything before it is impossible for an employment tribunal to be claimed - so possibly up to 12 months, but definitely 6 months - is an idiot. Other pieces of information, similarly, should be held until there is no risk to the employer.

    The right to be forgotten is mitigated by legal necessity. Until there's some real practical testing of the law, nobody can predict with certainty what might be the case. But I wouldn't advise anyone to "forget" any employee until they have confidence that this is not a risk. If they can justify keeping the records, they can.
    • Marcon
    • By Marcon 10th Aug 18, 3:27 PM
    • 541 Posts
    • 404 Thanks
    Marcon
    • #4
    • 10th Aug 18, 3:27 PM
    • #4
    • 10th Aug 18, 3:27 PM
    The right to be forgotten has nothing to do with GDPR.
    Originally posted by bap98189
    The right to be forgotten has everything to do with GDPR, unless the Information Commissioner is mistaken(!): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
    • Comms69
    • By Comms69 10th Aug 18, 3:32 PM
    • 5,029 Posts
    • 5,071 Thanks
    Comms69
    • #5
    • 10th Aug 18, 3:32 PM
    • #5
    • 10th Aug 18, 3:32 PM
    The right to be forgotten has everything to do with GDPR, unless the Information Commissioner is mistaken(!): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
    Originally posted by Marcon


    I think the 'right to be forgotten' as a term is used in many different ways. e.g. google / other search engines.
    • Undervalued
    • By Undervalued 10th Aug 18, 4:06 PM
    • 3,495 Posts
    • 3,156 Thanks
    Undervalued
    • #6
    • 10th Aug 18, 4:06 PM
    • #6
    • 10th Aug 18, 4:06 PM
    The right to be forgotten has everything to do with GDPR, unless the Information Commissioner is mistaken(!): https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
    Originally posted by Marcon
    No, that is as it says a right to erasure! Not the same thing.

    The so called right to be forgotten applies to internet search engines etc.

    But yes, the page you linked does indeed answer the question the OP meant to ask!
    • Doshwaster
    • By Doshwaster 10th Aug 18, 4:53 PM
    • 4,986 Posts
    • 4,118 Thanks
    Doshwaster
    • #7
    • 10th Aug 18, 4:53 PM
    • #7
    • 10th Aug 18, 4:53 PM
    The right to be forgotten has nothing to do with GDPR.

    But the answer to your questions is that yes, an employer can retain a number of different records even if you write to them and try to withdraw your consent.
    Originally posted by bap98189
    Yes, there are some records which employers legally have to retain even if you don't want them to.

    You should have a company privacy policy which states how long personal data is kept. I've just checked ours and some data are destroyed as soon as employment ends (e.g. emergency contact details, most medical information), most things are after 7 years while others are permanent (e.g. pension records, share options)
    • Undervalued
    • By Undervalued 10th Aug 18, 5:02 PM
    • 3,495 Posts
    • 3,156 Thanks
    Undervalued
    • #8
    • 10th Aug 18, 5:02 PM
    • #8
    • 10th Aug 18, 5:02 PM
    Yes, there are some records which employers legally have to retain even if you don't want them to.

    You should have a company privacy policy which states how long personal data is kept. I've just checked ours and some data are destroyed as soon as employment ends (e.g. emergency contact details, most medical information), most things are after 7 years while others are permanent (e.g. pension records, share options)
    Originally posted by Doshwaster
    Yes, but that doesn't trump the GDPR requirements. The policy might say 10 years or even indefinitely but if the law (in the form of the ICO) thinks that is excessive the company can't rely on the policy.
    • Marcon
    • By Marcon 10th Aug 18, 5:11 PM
    • 541 Posts
    • 404 Thanks
    Marcon
    • #9
    • 10th Aug 18, 5:11 PM
    • #9
    • 10th Aug 18, 5:11 PM
    No, that is as it says a right to erasure! Not the same thing.

    The so called right to be forgotten applies to internet search engines etc.

    But yes, the page you linked does indeed answer the question the OP meant to ask!
    Originally posted by Undervalued
    I think OP asked the question they meant to ask. As IC says:
    • The GDPR introduces a right for individuals to have personal data erased.
    • The right to erasure is also known as ‘the right to be forgotten’.
    • sangie595
    • By sangie595 10th Aug 18, 5:11 PM
    • 5,515 Posts
    • 9,476 Thanks
    sangie595
    Yes, there are some records which employers legally have to retain even if you don't want them to.

    You should have a company privacy policy which states how long personal data is kept. I've just checked ours and some data are destroyed as soon as employment ends (e.g. emergency contact details, most medical information), most things are after 7 years while others are permanent (e.g. pension records, share options)
    Originally posted by Doshwaster
    Gosh. Your employers are terribly trusting. Given the possibly of a discrimination or liability claim, I doubt a court will go for "we destroy most medical records as soon as someone leaves".
    • Brynsam
    • By Brynsam 10th Aug 18, 5:12 PM
    • 1,676 Posts
    • 1,231 Thanks
    Brynsam
    Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the !!!8216;right to be forgotten!!!8217;. The right is not absolute and only applies in certain circumstances.
    • Brynsam
    • By Brynsam 10th Aug 18, 5:13 PM
    • 1,676 Posts
    • 1,231 Thanks
    Brynsam
    The right to be forgotten has nothing to do with GDPR.
    Originally posted by bap98189
    Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
    • prowla
    • By prowla 10th Aug 18, 5:19 PM
    • 10,089 Posts
    • 8,311 Thanks
    prowla
    Well, I wasn't intending to get into a discussion about the wordology, but...

    From the ICO guidelines.

    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
    At a glance
    • The GDPR introduces a right for individuals to have personal data erased.
    • The right to erasure is also known as "the right to be forgotten".
    And from the EU legislation itself:

    https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/can-i-ask-company-delete-my-personal-data_en
    This right also applies online and is often referred to as the "right to be forgotten".
    So, the "right to be forgotten" is specifically mentioned in the legislation.

    Note that both cases do not state that the "right to be forgotten" only applies to online information, nor do they define what "online" means, for example the above EU official page also gives an example of a bank holding information after you switch accounts, which certainly goes beyond "internet search engines, etc.".

    Further, the EU page does not mention the term "Right to erasure", so it would seem to be no more precise or exact than "Right to be forgotten".
    • sangie595
    • By sangie595 10th Aug 18, 5:20 PM
    • 5,515 Posts
    • 9,476 Thanks
    sangie595
    Yes, but that doesn't trump the GDPR requirements. The policy might say 10 years or even indefinitely but if the law (in the form of the ICO) thinks that is excessive the company can't rely on the policy.
    Originally posted by Undervalued
    That really has yet to be determined. Like many other things, it will require an element of practice or case law to decide things. The ICO is neither "law" nor God. Some of our employers (actually a lot of them) are required to keep records that would count as personal information for ten years after the end of funding - so, effectively, until 2032. Failure to do so would entail the potential loss of £ millions to public authorities. But there's no law that says they can do that - it's policy. I don't think anyone cares what the ICO thinks of that. They'll keep those records and fight it in court if the ICO thought differently. The ICO is not the final arbiter. The law is. And "the law" is a court of law.
    • prowla
    • By prowla 10th Aug 18, 5:44 PM
    • 10,089 Posts
    • 8,311 Thanks
    prowla
    That really has yet to be determined. Like many other things, it will require an element of practice or case law to decide things. The ICO is neither "law" nor God. Some of our employers (actually a lot of them) are required to keep records that would count as personal information for ten years after the end of funding - so, effectively, until 2032. Failure to do so would entail the potential loss of £ millions to public authorities. But there's no law that says they can do that - it's policy. I don't think anyone cares what the ICO thinks of that. They'll keep those records and fight it in court if the ICO thought differently. The ICO is not the final arbiter. The law is. And "the law" is a court of law.
    Originally posted by sangie595

    And that is part of the question:
    • If law "A" says one thing and law "B" says another, which wins?
    • If company policy says one thing and the law says another, which wins?
    • Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)?
    • What if an employee was involved in corporate espionage, but they had their access records deleted?
    • Does the right to be forgotten trump other laws and business common-sense?
    • If a company asks your approval to store data under GDPR and you later rescind that approval, what happens?
    • What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)?
    • Slinky
    • By Slinky 10th Aug 18, 5:53 PM
    • 5,525 Posts
    • 25,959 Thanks
    Slinky
    For many years my insurance company says I need to keep my employer's liability certificate for 40 years! I'm presuming that is in case somebody decides to make a case against my business many years down the line. In which case I need to keep details of who those employees are for 40 years, otherwise how could I prove one way or another that a claimant was ever actually employed by my business?
    • sangie595
    • By sangie595 10th Aug 18, 6:30 PM
    • 5,515 Posts
    • 9,476 Thanks
    sangie595
    And that is part of the question:
    • If law "A" says one thing and law "B" says another, which wins?
    • If company policy says one thing and the law says another, which wins?
    • Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)?
    • What if an employee was involved in corporate espionage, but they had their access records deleted?
    • Does the right to be forgotten trump other laws and business common-sense?
    • If a company asks your approval to store data under GDPR and you later rescind that approval, what happens?
    • What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)?
    Originally posted by prowla
    And the answer is - we'll have to wait and see. Like anything else. It isn't until a situation arises and someone fights it that we begin to unravel such questions.
    • steampowered
    • By steampowered 10th Aug 18, 7:01 PM
    • 2,889 Posts
    • 2,866 Thanks
    steampowered
    This is not actually a 'right to erasure' question.

    It is more a question of how the requirements in the GDPR in relation to the retention and use of personal data apply to employers. These requirements apply regardless of whether the right to erasure has been exercised.

    The GDPR requires, among other things, that the personal data kept by employers must only be collected for specified and legitimate purposes; must be relevant; must not be kept longer than necessary; and so on. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.

    There are some types of information about employees which employers cannot (lawfully) justify retaining for more than short periods. Some employee monitoring/surveillance type systems have to be deleted pretty quickly - that has all been litigated extensively.

    But many other types of employee data can lawfully be kept for much longer periods, regardless of whether the employee consents or not. The usual justification is that the employer will need records if the employee was to bring a legal claim against the employer.
    • steampowered
    • By steampowered 10th Aug 18, 7:07 PM
    • 2,889 Posts
    • 2,866 Thanks
    steampowered
    And that is part of the question:
    • If law "A" says one thing and law "B" says another, which wins? Doesn't really happen in reality.
    • If company policy says one thing and the law says another, which wins? Clearly, the law wins. Companies can't trump law with their internal policies.
    • Is there some information which is required forever (eg. personal tax records if HMRC decided to do a countback)? Yes, there are. Though HMRC can only look back 7 years or 20 years in cases of fraud, so I doubt that tax information could legally be kept forever.
    • What if an employee was involved in corporate espionage, but they had their access records deleted? I don't understand.
    • Does the right to be forgotten trump other laws and business common-sense? Laws generally all have to be followed. Yes, law trumps business common sense obviously. You can't just decide by yourself to ignore the law - unless the law has a specific exemption in it.
    • If a company asks your approval to store data under GDPR and you later rescind that approval, what happens? Then the company can no longer rely on "consent" to store the data. The company may be able to retain the data if it can find another legal justification for keeping the data. There are a number of legal justifications to rely on for processing personal data, consent of the data subject is merely one possible option.
    • What organisations are exempt from GDPR (eg. the Police storing criminal records, or DBS clearance)? The GDPR applies to these organisations, but the GDPR (and the UK specific Data Protection Act 2018) contain specific exemptions applicable to law enforcement and similar sorts of organisations, exempting them from some (but not all) of the GDPR restrictions.
    Originally posted by prowla
    All of this stuff has been litigated extensively.

    Most of these things are not simply a matter of letting the judge decide. There is settled law on most of this stuff giving a clear legal answer.

    A key point to understand is that the GDPR is really not very different to the data protection legislation we have had for many years. It is simply that the GDPR has tightened things up a bit and massively increased the possible fines, so people are starting to pay a bit more attention.
    • Gavin83
    • By Gavin83 10th Aug 18, 7:51 PM
    • 5,394 Posts
    • 8,907 Thanks
    Gavin83
    I've been wondering about GDPR and the Right to be forgotten if you leave an employment...


    If you withdraw your consent for the company to retain your information under GDPR, must all information about you be removed or are there some items of information which the employer must retain?
    Originally posted by prowla
    Why do you want to be forgotten by your ex employer?
Welcome to our new Forum!

Our aim is to save you money quickly and easily. We hope you like it!

Forum Team Contact us

Live Stats

3,605Posts Today

8,757Users online

Martin's Twitter