In the digital age, we are aware of the value of our personal data. Data privacy is a topic of great importance today, yet many users are still unaware of the rights they have regarding data protection.
One of the most relevant rights is the right to erasure, also known as the “right to be forgotten.”
If you have a business or manage a company that handles personal data, sooner or later you might receive a request from a customer asking you to delete their information. What should you do in this situation? Are you required to delete the data in all cases? Are there any exceptions? In this article, we will try to answer all these questions so you can comply with the regulations and respond appropriately to these requests.
Data erasure is a process aimed at permanently deleting personal data held by a company. The goal is to ensure that personal data is not kept longer than necessary and is handled in accordance with data protection laws.
In Europe, Article 17 of the General Data Protection Regulation (GDPR) gives users the right to request the deletion of their personal data whenever certain circumstances are met.
But what exactly is this right? This right allows:
However, while the right to erasure is fundamental, it is not an absolute right, and data cannot always be deleted. There are some situations where companies are not obligated to delete a customer's data, even if requested.
There are several reasons why a company may refuse a data deletion request.
If your company receives a data deletion request, but the data falls under any of these exceptions, it is important to inform the customer clearly and transparently why it is not possible to delete the data at that time.
Your obligation will be to convert that data into blocked data until the retention period ends for one of the aforementioned reasons.
If a customer requests the deletion of their data, the first thing you must do is verify their identity. This is important to prevent unauthorized individuals from requesting the deletion of someone else's information.
By the way, don’t go asking for their ID directly! Your obligation is to verify the identity of the person wishing to exercise a right, but you should not request invasive personal data (such as a photocopy of their ID) when you can verify their identity through simpler means.
Once you've confirmed their identity, you need to review the request and decide if the data can be deleted or if there's a legal reason to keep it. If the request is valid, you must delete it from all systems where it is stored and ensure it is no longer processed in the future.
The GDPR establishes that companies have a period of one month to respond to customers’ requests related to their data protection rights. In cases where the request is complex, the period can be extended to two months, and the customer must be informed about the extension and the reasons for the delay.
After deleting the data, you must confirm to the customer that their request has been fulfilled. If it is not possible to delete the data due to legal exceptions, you must explain the reasons and the period during which the information will remain stored.
To avoid future problems, follow these recommendations:
Did you know that at Lawwwing, we help you manage your customers’ rights requests? Properly handling personal data deletion requests is essential to comply with the GDPR and LOPDGDD. Lawwwing, the comprehensive platform to comply with digital regulations and ensure your website meets all legal requirements.
