GDPR: The Right to be Forgotten

Alicja Kwiatkowski
October 3, 2018

The right of erasure vs. the legal requirement to store data

The protection and privacy of personal data has become a hot topic. Regulators across the globe implement laws which aim to provide greater protection of the privacy of personal data. One of the most significant pieces of legislation is GDPR which came into effect in Europe earlier this year. Modern personal data protection laws, including GDPR itself, are providing stronger enforcement rights, including punitive fines. But how far do an individual’s rights go? Whilst much has been written on GDPR, this article looks at an area that has received little attention – an individual’s right of erasure of his/her personal data versus an organisation’s legal requirement to retain that data.

The key point here is that the right of erasure under Article 17 of GDPR is in many cases not an absolute right for the individual. In fact, quite the opposite. Depending on the legal basis under which the data is processed, the handler of the data may reject such requests as it may be legally required to retain that data for regulatory purposes. There is only a handful of cases in which a data handler needs to abide by a request for deletion of data, such as for marketing when the consent of the individual is the legal basis for processing data.

For businesses, the legal basis for processing data is often either in the legitimate interest of the company handling the data or a legal obligation to process the data, stemming from tax laws or employment and insurance laws. In the second case, legal obligations laid down in the EU or its member states’ laws give the company an absolute right to reject a request for deletion of data. Imagine a situation where the French accounting law requires the taxable person to store invoices for 10 years. In this scenario, when the invoice contains an individual’s personal data, they have no legal right to ask for their personal data to be deleted. Consequently, any personal data deletion requests received by the company storing the invoice can legally be rejected.

The situation is not as straightforward in cases where it is a non-EU law that includes an obligation to store the data. For a US invoice, the obligation to store it will fall under the legal basis of legitimate interest, which is tougher to prove objectively. In such a scenario, the company holding the invoice data under US law needs to perform an assessment balancing the individual’s interest in having his/her data deleted against the company’s compelling legitimate grounds for processing the data. This is one of many reasons why companies appoint a Data Protection Officer who can help them make balanced decisions.

Whilst an individual’s rights are strong when it comes to the privacy and protection of their personal data, they are far from absolute. Personal data should be treated with respect in line with principles set out by law, but it is equally important to bear in mind that an individual’s request for their personal data may be rejected if the company processing that data has a legitimate reason for doing so.

Take Action

Sovos Trustweaver provides eArchiving solutions for clients in over 50 countries. To find out more visit https://www.trustweaver.com/solutions/e-archive/

Sign up for Email Updates

Stay up to date with the latest tax and compliance updates that may impact your business.

Author

Alicja Kwiatkowski

Alicja Kwiatkowski is a Legal Counsel at Sovos TrustWeaver. Based in Stockholm, Alicja’s background is in law and IT with a professional focus on international e-invoicing compliance, personal data protection and cyber security. Alicja earned her degree in Law from University of Warsaw, Poland and LL.M in European IP Law from Stockholm University, Sweden.
Share This Post

North America Sales & Use Tax
June 5, 2023
Sovos Onboarding: 6 Departments Dedicated to Customer Success

If you are evaluating Sovos, we want you to understand expectations for the customer experience and what teams are there to support you. At Sovos, we have a range of teams ready to support you from the day you sign a contract. Whether it be a customer success representative to review the value you are […]

North America Sales & Use Tax
June 1, 2023
3 Things to Remember if You Get a Sales Tax Notice

Have you ever received a sales tax notice from a state department of revenue? Whether you answered yes or no, there are important things to keep top of mind to help keep your business prepared. Finding out that you have failed to comply with one or more of your sales tax obligations can be startling. […]

EMEA VAT & Fiscal Reporting
May 31, 2023
Bizkaia: What is Batuz LROE?

The Ledger of Economic Operations (Libro Registro de Operaciones Económicas), also known as LROE, is a main compliance element of the Batuz tax control system. This system is under implementation in the province of Bizkaia, located in the autonomous Basque community in Spain. Taxpayers under the Batuz mandate must comply with both TicketBAI and LROE […]

North America Unclaimed Property
May 30, 2023
How to Set Up a Successful Unclaimed Property Program

Unclaimed property compliance can be difficult and overwhelming. Clients often ask what they should be doing to ensure they are compliant with the various laws and regulations. It isn’t easy, especially if you have multiple property types such as checks, credits or customer accounts that have the potential to become unclaimed property in multiple states. […]

North America ShipCompliant
May 30, 2023
How Hold At Locations Improve Your Customers’ Wine Delivery Experience

Direct-to-consumer shipping wine lovers enjoy the convenience of having their favorite vinos shipped to their front door. But what happens when, for whatever reason, they aren’t available to accept their wine deliveries? Whether they aren’t available during the day or they don’t have someone 21 or older available to sign for their package, these challenges […]