When New York first passed its law defining what constitutes a “vendor” subject to collecting sales tax in the 1980’s, the idea of online shopping sounded like science fiction. In retrospect, NY may have effectively enacted the first “economic nexus” law when they drafted their definition of “vendor” to include a person who regularly or […]
GDPR: The Right to be Forgotten
The right of erasure vs. the legal requirement to store data
The protection and privacy of personal data has become a hot topic. Regulators across the globe implement laws which aim to provide greater protection of the privacy of personal data. One of the most significant pieces of legislation is GDPR which came into effect in Europe earlier this year. Modern personal data protection laws, including GDPR itself, are providing stronger enforcement rights, including punitive fines. But how far do an individual’s rights go? Whilst much has been written on GDPR, this article looks at an area that has received little attention – an individual’s right of erasure of his/her personal data versus an organisation’s legal requirement to retain that data.
The key point here is that the right of erasure under Article 17 of GDPR is in many cases not an absolute right for the individual. In fact, quite the opposite. Depending on the legal basis under which the data is processed, the handler of the data may reject such requests as it may be legally required to retain that data for regulatory purposes. There is only a handful of cases in which a data handler needs to abide by a request for deletion of data, such as for marketing when the consent of the individual is the legal basis for processing data.
For businesses, the legal basis for processing data is often either in the legitimate interest of the company handling the data or a legal obligation to process the data, stemming from tax laws or employment and insurance laws. In the second case, legal obligations laid down in the EU or its member states’ laws give the company an absolute right to reject a request for deletion of data. Imagine a situation where the French accounting law requires the taxable person to store invoices for 10 years. In this scenario, when the invoice contains an individual’s personal data, they have no legal right to ask for their personal data to be deleted. Consequently, any personal data deletion requests received by the company storing the invoice can legally be rejected.
The situation is not as straightforward in cases where it is a non-EU law that includes an obligation to store the data. For a US invoice, the obligation to store it will fall under the legal basis of legitimate interest, which is tougher to prove objectively. In such a scenario, the company holding the invoice data under US law needs to perform an assessment balancing the individual’s interest in having his/her data deleted against the company’s compelling legitimate grounds for processing the data. This is one of many reasons why companies appoint a Data Protection Officer who can help them make balanced decisions.
Whilst an individual’s rights are strong when it comes to the privacy and protection of their personal data, they are far from absolute. Personal data should be treated with respect in line with principles set out by law, but it is equally important to bear in mind that an individual’s request for their personal data may be rejected if the company processing that data has a legitimate reason for doing so.
Sovos Trustweaver provides eArchiving solutions for clients in over 50 countries. To find out more visit https://www.trustweaver.com/solutions/e-archive/
With recent enforcement measures, the IRS has offered definitive proof that the Affordable Care Act (ACA) is still alive and that the agency plans to strictly enforce ACA reporting. Last spring, the agency issued Letter 226J to Applicable Large Employers (ALEs) that failed to cover 95 percent of employees. ALEs are companies with 50 or […]
UPDATE (Jan. 8): Reporting season is moving forward according to plan. The IRS has announced that it will process tax returns on schedule and without delays. While the agency will clarify its contingency plan in the coming days, organizations should proceed as planned with 1099 reporting and other seasonal filings. The IRS will recall a […]
The South Dakota v. Wayfair decision last June has created a lot of angst for indirect tax professionals and the businesses they work so hard to protect from the burdens of sales and use tax filing. Six months later as we begin the new year, that angst has not gotten any lighter. Any federal legislative […]
2018 was a volatile year in indirect tax compliance for tax, finance and IT professionals worldwide. With an increase in globalization and tax gaps surpassing tens of billions in some countries, it’s not surprising that one of the biggest challenges governments are addressing is revenue collection. Like enterprises, governments are creating new, technology-driven processes to […]