The Right to be Forgotten (GDPR, Article 17)
With the general data protection regulation (GDPR) set into force just a few weeks ago, people start wondering more often about their right to be forgotten. Data footprint limitation is one of the principles of data protection. What is described in article 17, “Right to erasure / Right to be forgotten” (EU GDPR, EU DS-GVO), refers to our right that our personal data must be deleted as soon as the purpose for which it was processed is either fulfilled or the consent to process is withdrawn. However, there are no general timelines for deletion.
Awareness for data protection has raised since May 25th, when all of us received numerous emails presenting the privacy statements of data controllers, which seem to store tons of our personal data. It is not new though, that people have taken action against widespread processing of their personal data by deleting their social media accounts or asking, which type of personal data is collected in online-shops, through smartphone apps or by their employer in order to take back control over their personal data. However, now – there are processes, buttons or contact forms on websites, and there is legal support, in case a data controller (or processor) neglects his responsibility.
More than a technical issue…
The topic is more than a technical issue. It throws up moral questions: Just recently, I had a mail in my inbox from one of the well-known social networks for professionals, with a reminder to wish a former colleague “happy birthday”, while the same person had died already five years ago. Not that I think, the law should enhance forgetting about people we have fond memories of, but in this case, it is misleading information: this person is not celebrating her birthday – and my birthday mail would have never reached her.
I am not the first, who starts to get into moral questions with this law – years ago, it was discussed in a very controversial manner whether the right to be forgotten collides with the right to freedom of speech (some might remember the Google case of a Spanish citizen, where the European Court made a clear difference between press freedom and information processing). In any case, we must not confuse the right of media to publish true statements (even on private matters) with the law to protect the integrity of information collected by data controllers on data subjects. AND, we should balance the reasons, when applying article 17.
Context of article 17
There are reasons to have a more detailed look at this article, which should always be considered in the context of the overall data protection and data privacy policies. The right to be forgotten requires knowledge of the different articles and is basis of the general data protection regulation (GDPR), together with data protection, data evaluation, data portability as well as compliance with public interest and official authorities. It might not always be crystal clear whether deletion is the ultimate right – think about court cases published in online databases or credit-reports / scores, which track a payment history that might not reflect a current behavior any longer, but the law itself is pretty clear on preconditions and exceptions.
What are the preconditions for applying article 17?
By law, the right to erasure has to be balanced against other conflicting interests and rights, such as public or other third party interests and transparency. Data may only be deleted, if no legal retention period applies and if the data is no longer required in order to fulfill the purpose for which the data was originally stored or if permission for processing the data has expired. Take for instance payroll data: depending on your country’s retention period, payroll data must be kept up to 10 years in Germany, for instance. Personal data has to be erased without undue delay if it has been unlawfully processed – this seems common sense to me. For completeness, I would like to mention that children’s rights for data privacy are weighted much higher and are reflected in Article 8.
What are conflicting terms and conditions?
As stated in the previous paragraph, data storage is necessary under certain conditions and therefore overrides the right to erasure. The right to freedom of expression and information is one example. Other reasons that affirm the storage and processing of personal data are reasons of “public interest in the area of public health”, “scientific or historical research purposes or statistical purposes”. Last but not least, certain official authorities can override the right to data deletion.
Some technical aspects
After talking about legal and moral aspects, let me give you some technical background. Data is usually widely spread in IT systems, where master data, process data, meta data, and other digital footprints interlink or exist in separate systems. It can be complicated to track all the personal data, if requested by a data subject. SAP Cloud Identity Access Governance (IAG) software improves and simplifies the governance of data access, provides preconfigured audit reporting and a state of the art security standard. It is based on the SAP Cloud Platform and helps customers and partners to optimize their data compliance, needed for data deletion or data blocking.
SAP has continuously enhanced the robustness of its data export capabilities. The security of data processing has been top priority in all services and infrastructure development. As mentioned in my previous blog, SAP is well set with respect to third-party audits, certifications and internal education in order to ensure GDPR compliance.
SAP’s role as data controller
SAP stores and processes data of employees, partners, suppliers and customers in its role as data controller. It is not only birthday data or address information, but depending on the purpose for data processing, it might be financial data or data related to human resources, purchasing data, source code or support questions and answers. Few data subjects think about a former certification report or maybe a blog contribution that dates back a couple of years. Most data processed by SAP is collected for the purpose of direct business (SAP with the business partner directly), which is not distributed to third party vendors.
I am sure, many companies have already received tons of requests for erasure – not always clearly thought through by the requestor. Let me therefore end this blog using a comparison with our analog existence: Who has ever experienced the rare but often impulsive action of cleaning up a basement or attic? For years, you accumulated belongings (comparable with personal data), you store things you might never look at again in boxes or shelves (comparable with your comments in an online community) in your basement until one day you get a cleaning attack and throw everything away – compulsive, impulsive and without clear thinking! Be aware of the fact, that deletion of data is quick (throwing away of belongings as well), but recovering is tedious or impossible!
If you would like to share your view or experience with the “right to be forgotten”, feel encouraged to comment in the blog.
# # #
Ulrike Fempel is a book author and a senior business development manager with over 20 years of global experience in IT. Recognized as significant driver by peers, management as well as partners, she has a passion for sciences. Contact her on Twitter / LinkedIn.
# # #
- SAP overview on GDPR
- SAP Data Center: Data Protection
- SAP Cloud Trust Center: Data Protection and Data privacy
- GDPR law in 23 languages
- GDPR Portal of the EU
- Blog: Enable Custom Objects in Data Disclosure and Data Deletion views of Data Privacy Management
- Blog: What is GDPR / EU-DSGVO and how does SAP Business ByDesign manage data privacy?