“Forget Me!” Handling Data Deletion Requests as a Data Processor
People have more control over their personal information than ever before. Regulations like the GDPR (General Data Protection Regulation), CCPA (California Consumer Privacy Act), and even the new TDPSA (Texas Data Privacy and Security Act) grant users the “right to erasure,” also known as the “right to be forgotten.” This means they can request that companies delete their personal data. But what happens when you’re the data processor entrusted with someone else’s data? Here’s what you need to know about handling data deletion requests.
Understanding Your Role
As a data processor, you may only act on instructions from the data controller. That is usually going to be your customer. Unless your contract specifies otherwise, data subjects requesting that a data processor delete data should be redirected to the data controller. This can put companies such as email service providers in an awkward position because recipients are accustomed to dealing with housekeeping items like unsubscribe requests with the provider rather than the customer. Additionally, many recipients will be hoping to circumvent the need to submit several requests by serving the request for deletion on a single, common point of contact: the service provider. Nevertheless, your role as a data processor is to act on the data controller’s instructions, not the data subject’s.
When the user requests deletion from the controller, the controller will contact you to fulfill your part of that request. You are responsible for deleting the data you hold within a specified timeframe (usually a month under the GDPR or 45 days under statutes like the CCPA and TDSPA).
Taking Action
Here’s what your action plan might look like upon receiving a deletion request:
- Verification: Authenticate the request to ensure it’s legitimate. You’ll likely rely on the controller for verification procedures. Specific verification requirements may be set out in your contract (such as who is authorized to transmit the request).
- Identification: Pinpoint all instances of the user’s data within your systems. This could involve searching databases, backups, and logs. Providers with robust privacy programs will have much of this information in data inventories and flow maps.
- Deletion: Permanently erase the identified data. Ensure no residual copies remain.
- Confirmation: Inform the controller that the deletion is complete. They can then confirm with the user.
Challenges and Considerations
Fulfilling deletion requests isn’t always straightforward. Here are some things to keep in mind:
- Complexity: Data can be scattered across various systems and backups (including cold or offsite backups). Your procedures should account for requirements surrounding comprehensive deletion. The CCPA, in particular, allows for data to persist in archived form “until the archived or backup system relating to that data is restored to an active system or is next accessed or used for a sale, disclosure, or commercial purpose.” 11 CCR § 7022(d). On the other hand, Article 17 of the GDPR does not have an exemption for backups, although DPAs have issued guidance that recognizes the need for sanity in this regard.
- Legal Obligations: Certain data might need to be retained for legal reasons, such as sales records that must be retained for audit by taxing authorities. Consult with the controller for guidance.
- Technical Limitations: Certain technologies might make complete deletion difficult. Ensure your processes address these limitations.
Working with the Controller
Effective communication with the data controller is crucial. Your contract with the controller should clearly outline the process for handling deletion requests — including requests that come to you (the data processor) instead of your customer (the data controller). This includes:
- Notification procedures: How will the controller inform you about deletion requests?
- Data identification methods: How will you identify the relevant user data?
- Deletion confirmation protocols: How will you confirm successful deletion to the controller?
Staying Compliant
Establishing clear procedures and working collaboratively with the controller can ensure you’re fulfilling your obligations under data protection regulations.
- About Consent Decrees - 6 September 2024
- Bigger is rarely better - 29 August 2024
- Legitimate Interest is not just something you assert - 23 August 2024