What data may I not delete under a valid right to erasure request?

In today’s complex regulatory landscape, businesses must strike the right balance between respecting an individual’s right to privacy and fulfilling legal obligations. The right to be forgotten, also known as the right to erasure, is a core principle of GDPR that empowers individuals to request the deletion of their personal data. But as straightforward as it sounds, there are many instances where you simply can't comply with a right to erasure deletion request.

Knowing when you can—and cannot—delete data is essential. Some types of data, such as relevant personal information subject to legal requirements, must be retained by law, while others are needed for ongoing transactions or serve the greater public interest, such as public health purposes. It is covered under Article 17(3)(e) of GDPR.

Understanding these exceptions will not only help you stay compliant but also communicate clearly with your clients and customers about why certain data must be kept.

Here, we break down the key types of data that cannot be erased and why. 

1. Legal compliance

• Tax records

Businesses are often required to retain financial records, such as invoices and tax-related documents, for a specific period, usually up to six years in the UK. These records may also be stored in an external database to ensure compliance with regulations. This requirement is stipulated under the Finance Act 1998 and Companies Act 2006. Even if a customer requests that all their data be deleted, tax-related information must be kept to comply with these legal obligations.

• Employment records

Certain employee records, such as payroll documents or records of workplace safety incidents, must be kept to meet legal requirements, which often involve correct personal data to ensure compliance. These documents are often retained for several years to comply with employment laws, such as the Employment Rights Act 1996 and Health and Safety at Work Act 1974.

• Financial records for Anti-Money Laundering

If your business operates in a sector where anti-money laundering (AML) regulations apply, such as financial services, records must be kept for at least five years. This requirement falls under The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017.

2. Contractual necessity

• Pending transactions

Data required to complete ongoing transactions cannot be deleted until the transaction is finalised. For example, you cannot delete data that is necessary for fulfilling an outstanding product order or providing an ongoing service.

• Debt collection

If a customer has outstanding debts or contractual obligations, their data must be retained until those obligations are resolved.

3. Public interest

• Freedom of Information and Public Health

Some data must be retained in the interest of the public, particularly for public health purposes or freedom of information requirements. This could include information related to public health or freedom of information that is vital for society as a whole. This is stipulated under The Public Health (Control of Disease) Act 1984.

• Archiving purposes

Personal data that serves archival purposes in the public interest, or for historical or scientific research, may also need to be retained even when requested for deletion.

• Archiving purposes

Personal data that serves archival purposes in the public interest, or for historical or scientific research, may also need to be retained even when requested for deletion.

4. Legal claims

• Establishment, exercise, or defense of legal claims

If data is required to establish, exercise, or defend legal claims, it cannot be deleted. For instance, if a customer has been involved in a legal dispute with your company, retaining the relevant records may be necessary to support your position.

5. Freedom of Expression

• Journalistic or artistic use

Data being used for journalistic, artistic, or literary purposes may be exempt from the right to be forgotten. This exemption is provided under GDPR, which aims to protect freedom of expression and information.

6. Other Retention Requirements

• Company records and registration

Under the Companies Act 2006, businesses are required to keep certain company records, such as statutory registers, for as long as the company exists. This includes records of shareholders, directors, and charges on the company.

• Insurance Records

Insurance policies and related claims records may need to be retained for a certain period to address potential future claims. This is often stipulated under Insurance Act 2015 and by insurance providers for compliance purposes.

7. Consent Withdrawal

• Data still needed for another purpose

If a customer withdraws their consent for one purpose, but the same data is still needed for another purpose with a valid lawful basis, you may retain that data for the other purpose. For example, a customer might withdraw consent for marketing emails, but their data may still be required for account management.

Understanding nuances

While the right to erasure empowers individuals to control their personal data right, it is not absolute. Businesses need to understand the nuances of when data must be retained to ensure they stay compliant with GDPR and other applicable regulations. By clearly communicating these exceptions to your clients and customers, you can maintain transparency and trust.

If you need help navigating GDPR compliance, understanding summary data privacy legislation, or knowing how the right to be forgotten applies to your business, Lawyerlink is here to help. We can guide you through the complexities of data privacy regulations, ensuring that your business stays compliant while respecting your customers' rights.