Hvar img

Data deletion obligations

    The General Data Protection Regulation (GDPR) has radically altered the way personal data is collected, processed and stored by data controllers and processors.

    One of the more challenging aspects of the new regulation is that of deleting data, whether at the expiry of an agreement or contract, or as part of a ‘right to erasure’ request, previously known as ‘the right to be forgotten’. Of course, as voice call recordings are considered to be data processing, they also fall under this remit.

    Under GDPR, data controllers and processors are obliged to return or delete all personal data after the end of services, or on expiry of a contract or agreement, unless it’s necessary to retain the data by law.

    The bill also includes the right to be forgotten – also known as ‘right to erasure’ – whereby individuals can demand that their data is deleted if it's no longer necessary for the purpose it was collected, or there is no ‘compelling’ reason for its continued processing.

    They can also demand that their data is erased if they've withdrawn their consent for their data to be collected, or object to the way it is being processed. The controller is responsible for telling other organisations to delete any links to copies of that data, as well as the copies themselves.

    The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
    · Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
    · When the individual withdraws consent.
    · When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
    · The personal data was unlawfully processed (in breach of the GDPR).
    · The personal data has to be erased in order to comply with a legal obligation.

    So, if just one of these conditions applies, it is the responsibility of the data controller to delete and remove data and recorded calls ‘without undue delay’, and specifically within a month, barring exceptional circumstances.