GDPR: The Right to be Forgotten

Alicja Kwiatkowski
October 3, 2018

The right of erasure vs. the legal requirement to store data

The protection and privacy of personal data has become a hot topic. Regulators across the globe implement laws which aim to provide greater protection of the privacy of personal data. One of the most significant pieces of legislation is GDPR which came into effect in Europe earlier this year. Modern personal data protection laws, including GDPR itself, are providing stronger enforcement rights, including punitive fines. But how far do an individual’s rights go? Whilst much has been written on GDPR, this article looks at an area that has received little attention – an individual’s right of erasure of his/her personal data versus an organisation’s legal requirement to retain that data.

The key point here is that the right of erasure under Article 17 of GDPR is in many cases not an absolute right for the individual. In fact, quite the opposite. Depending on the legal basis under which the data is processed, the handler of the data may reject such requests as it may be legally required to retain that data for regulatory purposes. There is only a handful of cases in which a data handler needs to abide by a request for deletion of data, such as for marketing when the consent of the individual is the legal basis for processing data.

For businesses, the legal basis for processing data is often either in the legitimate interest of the company handling the data or a legal obligation to process the data, stemming from tax laws or employment and insurance laws. In the second case, legal obligations laid down in the EU or its member states’ laws give the company an absolute right to reject a request for deletion of data. Imagine a situation where the French accounting law requires the taxable person to store invoices for 10 years. In this scenario, when the invoice contains an individual’s personal data, they have no legal right to ask for their personal data to be deleted. Consequently, any personal data deletion requests received by the company storing the invoice can legally be rejected.

The situation is not as straightforward in cases where it is a non-EU law that includes an obligation to store the data. For a US invoice, the obligation to store it will fall under the legal basis of legitimate interest, which is tougher to prove objectively. In such a scenario, the company holding the invoice data under US law needs to perform an assessment balancing the individual’s interest in having his/her data deleted against the company’s compelling legitimate grounds for processing the data. This is one of many reasons why companies appoint a Data Protection Officer who can help them make balanced decisions.

Whilst an individual’s rights are strong when it comes to the privacy and protection of their personal data, they are far from absolute. Personal data should be treated with respect in line with principles set out by law, but it is equally important to bear in mind that an individual’s request for their personal data may be rejected if the company processing that data has a legitimate reason for doing so.

Take Action

Sovos Trustweaver provides eArchiving solutions for clients in over 50 countries. To find out more visit https://www.trustweaver.com/solutions/e-archive/

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.

Author

Alicja Kwiatkowski

Alicja Kwiatkowski is a Regulatory Counsel at Sovos TrustWeaver. Based in Stockholm, Alicja’s background is in law and IT with a professional focus on international e-invoicing compliance, personal data protection and cyber security. Alicja earned her degree in Law from University of Warsaw, Poland and LL.M in European IP Law from Stockholm University, Sweden.
Share This Post

Tax Information Reporting United States
2019-03-22
How to Respond to the Growing Challenges of 1099-R Reporting

The demographics don’t lie: Reporting for form 1099-R is only going to grow more difficult as baby boomers retire. The form used to report distributions from IRA, pensions, annuities and other similar retirement accounts is poised to explode in volume. As such, financial institutions (FIs) and insurance companies can’t afford to mishandle 1099-R reporting. The […]

E-Invoicing Compliance EMEA
2019-03-21
Portugal Issues New E-Invoicing Rules: A Flavour of Clearance but Not Quite There

On 15 February 2019, Portugal published Decree-Law 28/2019 regarding the processing, archiving and dematerialization of invoices and other tax related documents including: The mandatory use of certified invoicing software General requirements for paper and electronic invoices Dematerialization of tax documentation Archiving of tax documentation (including ledgers, etc) Adjacent tax rules and obligations The decree aims […]

EMEA LATAM VAT & Fiscal Reporting
2019-03-18
Are We in the Golden Age of VAT Recovery?

The value-added tax (“VAT”) was described in the EU as a “”money machine” over 20 years ago. Yet according to a 2015 study by the European Commission by the Centre for Social and Economic Research (CASE), the “VAT gap” was approximately 168 billion EUR. This represents 15 percent of the theoretical VAT that would be […]

Tax Information Reporting United States
2019-03-15
As Legal Sports Gambling Grows, So Does Growth in W-2G Reporting

With the NCAA basketball tournament approaching, the US is gearing up for its biggest gambling weeks of the year. And while most “March Madness” pools might technically be illegal, legitimate sports betting is sweeping the US following last year’s landmark Supreme Court decision allowing states to legalize sports gambling in casinos.   As legal sports […]

E-Invoicing Compliance EMEA Italy
2019-03-14
Italy E-invoicing: Esterometro Reporting Requirements for Cross-border Transactions Updated

What is Esterometro? The Italian government’s e-invoicing mandate became effective on 1 January 2019.  While cross-border invoices are exempt, all domestic B2B and B2C invoices must be cleared through the SDI platform. This means that the Italian government and tax authority now have real-time access to the data of all B2B and B2C VAT transactions […]