Update Data Protection No. 113
Supervisory Authority Publishes Guidelines for the Implementation of Erasure Obligations under the GDPR
In a press release dated June 20, 2022, the Bavarian State Commissioner for Data Protection published guidance with regard to the obligation and the right to erasure arising from Art. 17 GDPR. The legally-compliant implementation of erasure obligations regularly poses major challenges for companies (e.g. when designing backups), so an official assessment from the authorities is long overdue.
The primary aim of the guidance is to explain how the provisions of Art. 17 GDPR are to be individually understood and draws on opinions in literature for this purpose. Individual factual requirements are explained using brief examples. Since the guidance refers to official data processing procedures, examples from this area have also been used. The guidance does not contain any unexpected changes to the official requirements. Individual points which the authorities clarify are nevertheless briefly presented below:
I. Statements by the Bavarian State Commissioner for Data Protection
It is made clear from the outset that, in addition to the request-dependent obligation to erase, the controller also has an obligation to erase if the data subject has not submitted a request, but the requirements of Art. 17 (1) GDPR are objectively met. In this respect, the controller has an obligation to check the personal data processed by it.
At the same time, the authorities emphasize that erasure should not take place prematurely, but always directly after the prerequisites being met. Rather, it must be ensured that no other data subject’s rights are thwarted by the erasure. In cases of doubt, it is advisable that the controller asks the data subject whether erasure is desired or whether another data subject right – such as restricted processing – is more likely to be of interest to them.
In addition, it is stated that general requests for erasure may be irrelevant for the controller (paragraph 11). In addition, the controller should provide advice in the event that circumstances arise as a result of the request which are unclear or that may be disadvantageous for the data subject (paragraph 12 including example).
1. Grounds for erasure, Art 17 (1) GDPR
With regard to the withdrawal of consent (Art. 17 (1) lit. b) GDPR), the authorities clarify that erasure does not always have to take place if consent has been withdrawn, although this may be different if the processing is allowed to take place on the basis of another legal permission (e.g. legitimate interests). It is clarified here that obtaining consent as a "substitute legal basis" is generally not advisable. The extent to which the change to another legal basis is permissible after consent has been withdrawn must be decided on a case-by-case basis; if necessary, a breach of the principle of fairness and transparency could occur in this respect.
If the reason for erasure is the achievement of the purpose (Art. 17 (1) lit. a) GDPR), it should be noted that the purpose is to be determined while taking into account the respective processing action. The original purpose of collection may therefore be different than the purpose pursued after the transfer of such personal data to third parties. In this respect, each controller must always check its specific processing action for whether the purpose of the processing still exists. If personal data is processed for several purposes, it cannot be completely erased if at least one purpose still exists – however, partial erasure is still possible. For this reason, it makes sense to process data separately for different processing purposes.
If the data subject objects to the processing (Article 17 (1)(c) GDPR) – i.e. in the case of processing based on legitimate interests, they make use of their right to object arising from Art. 21 (1) GDPR, it must be checked in each individual case whether overriding legitimate grounds exist. The consideration must include: the type of data, its sensitivity with regard to the data subject’s private life, the public interest in access to it and the economic interests of the controller. As long as it has not yet been determined whether the legitimate grounds of the data subject prevail, the right of the data subject to restricted processing may be considered. If the data subject objects to processing for direct advertising purposes in accordance with Art. 21 (2) GDPR, the overriding legitimate grounds of the controller are irrelevant.
The reason for erasure of unlawful processing (Art. 17 (1) lit. d) GDPR) does not apply if processing which was originally unlawful subsequently becomes lawful. It is also stated that, in the opinion of the authorities, not every legal violation of the GDPR leads to grounds for erasure being assumed. It should be determined whether the violation of law affects the processing. Unlawful processing would therefore be considered if the processing itself caused the violation of the law.
The grounds for erasure due to fulfilment of a legal obligation (Art. 17 1 lit. e) GDPR) can be legal requirements or legally-binding and final court and authority decisions. Purely contractual obligations vis-à-vis third parties are not sufficient. It should also be noted that the expiry of a statutory storage period does not in itself lead to the obligation to erase data pursuant to lit. e), as retention periods can also be minimum periods. In this respect, a distinction must be made between periods which must be followed by a legally-required erasure upon their expiry and the expiry of those periods which results in the general regulations for dealing with the erasure of personal data becoming applicable.
2. The act and scope of erasure
The authorities make it clear that, with regard to the act of erasure, it cannot be required that an ultimately final erasure must be achieved at any price. Any theoretical possibility of reconstruction does not stand in the way of successful erasure if the controller complies with technical and organizational standards.
However, the obligation to erase applies to all copies, including backup copies. In this respect, the obligation to erase only applies to the controller. The scope of the obligation to erase depends on the extent to which the grounds for erasure apply in the individual case. In particular, if only individual data is to be erased from documents, it must be checked whether the data can be logically separated – the database must therefore still be meaningful without the parts to be erased. The remaining parts must then always be checked to see whether there are grounds for erasure.
The erasure must be carried out "without undue delay" in the sense of "without culpable delay" (legal concept Sec. 121 German Civil Code [Bürgerliches Gesetzbuch, BGB]). If the data subject requests erasure, “without undue delay” refers to the period between the request for erasure and the act of erasure. If there are objective grounds for erasure – without a request from the data subject – then it relates to the period of time between the objective occurrence of the grounds for erasure and the action being taken. The time at which knowledge was gained is therefore irrelevant. It follows that the data subject has an obligation to check.
If the personal data to be erased has been disclosed, erasure pursuant to Art. 17 GDPR triggers the controller’s obligation to notify.
3. "Right to be forgotten", Art. 17 (2) GDPR
In addition, Art. 17 (2) GDPR – which supersedes the information obligation under Art. 19 GDPR – applies if the personal data has been published to an unspecified group of people. If grounds for erasure exist, the controller must take measures to inform the other controllers which process such personal data that all links to such personal data, copies or replicas are to be erased. In order for the legal consequence of Art. 17 2 GDPR to apply, it is sufficient for the data subject's request for erasure to also refer to all links, copies and replications from the original controller. The data subject does not therefore have to explicitly refer to such in their request for erasure.
The "appropriate measures" are to be determined in each individual case, taking into account the intensity of the intervention and the sensitivity of the respective personal data. In any case, it seems appropriate that the providers of the most important search engines are informed of requests for erasure.
4. Exceptions to the erasure obligation
If the controller would like to invoke an exception according to Art. 17 (3) GDPR, it is not sufficient that it relies on the existence of the factual requirements. Rather, an assessment must be made in each individual case, which must be recorded if necessary. The interest of the controller or the public in further processing must outweigh the interest in erasure. It should be noted that the exception under Art. 17 (3) GDPR does not apply indefinitely, rather the purposes will be fulfilled after a certain period of time, so the personal data must then be erased. In practice, Art. 17 (3) lit. b) and e) GDPR can regularly be considered as an exception, i.e. the existence of legal obligations (e.g. tax retention periods) or the requirement to maintain data for the purpose of asserting claims (e.g. during the limitation period).
II. Implications for practice
The guidance referred to here is (as far as can be seen) in addition to the short paper of the Datenschutzkonferenz of 2018 – the first handout from a supervisory authority for the legally compliant implementation of data protection erasure obligations. Companies that were previously unsure of how exactly the existing erasure obligations should be implemented from the point of view of the authorities will find specific indications here.