The answer to this is is a bit abstract, but essentially the protections offered by the GDPR relate to “personal data” which is defined under the Regulation as data that makes it possible to directly or indirectly identify a natural person.
So in the case where a user has exercised the Right to be Forgotten (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.
Article 12 of the GDPR states:
The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
This means that data controllers are exempt from the fulfillment of “Users’ Rights”, where the data subject cannot be identified — as in case where all of the user’s personal data is removed from your systems in the fulfillment of the initial request.
In this situation there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.
In practical terms, the best way to handle such a request would be to clearly inform the user (at the time of the initial request) that in fulfilling the request, all their data will be removed and that it would therefore be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.
Another required (in most cases) and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities and acquisition of consent (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfillment of User’s Rights, even if the data in question is no longer available.
How iubenda can help
Internal Privacy Management
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for internal privacy management. In order to be compliant, you must be able keep track of and to describe:
- which data you collect;
- for which purposes it was collected;
- the legal basis for processing;
- data retention policy for each processing activity;
- the parties involved (both inside and outside your organization);
- security measures;
- data transfer outside of the EU, if any; and
- other related details which may apply company-wide, including data of employees.
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 600+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other GDPR-required records.
Please note: As mentioned in this guide, full and extensive records of processing are typically required for organizations that handle “special categories of data” or have more than 250 employees, however there are some record-keeping requirements — such as which data you collect, its purpose, all parties involved in its processing and the data retention period — which are mandatory for everyone. Additionally, even though the GDPR is a common reason to put more effort into internal privacy management, our tool is not exclusively made for application under the GDPR. It can also be used for internal privacy management in general, even by companies who do not have any users/customers within the EU.
For a list of the full features of the Internal Privacy Management tool click here or read the guide here.
Managing consent and maintaining detailed records related to it
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show:
- when consent was provided;
- who provided the consent;
- what their preferences were at the time of the collection;
- which legal or privacy notice they were presented with at the time of the consent collection; and
- which consent collection form they were presented with at the time of the collection.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Solution and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.
For a list of the full features of the Consent Solution click here or read the guide here.