Under the GDPR, data subjects can request data controllers to erase all the personal data they’ve collected about them. This is the GDPR right to be forgotten (or right to erasure).
As a data controller, you may be wondering: How can you prove to data subjects that you’ve fulfilled their request?
The answer to this is is a bit abstract, but essentially the protections offered by the GDPR relate to “personal data” which is defined under the Regulation as data that makes it possible to directly or indirectly identify a natural person.
So in the case where a user has exercised the Right to be Forgotten (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.
The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.
Data controllers are exempt from the fulfillment of “Users’ Rights”, where the data subject cannot be identified — as in case where all of the user’s personal data is removed from your systems in the fulfillment of the initial request.
In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.
In practical terms, the best way to handle such a request would be to clearly inform the user (at the time of the initial request) that in fulfilling the request, all their data will be removed and that it would therefore be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.
Another required (in most cases) and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities and acquisition of consent (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfillment of the User’s Rights, even if the data in question is no longer available.
Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for your register of data processing activities. In order to be compliant, you must be able to keep track of and describe:
Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 1700+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other GDPR-required records.
Please note: As mentioned in this guide, full and extensive records of processing are typically required for organizations that handle “special categories of data” or have more than 250 employees, however there are some record-keeping requirements — such as which data you collect, its purpose, all parties involved in its processing and the data retention period — which are mandatory for everyone. Additionally, even though the GDPR is a common reason to put more effort into your register of data processing activities, our tool is not exclusively made for application under the GDPR. It can also be used for all your data processing activties in general, even by companies who do not have any users/customers within the EU.
In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show:
Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.
To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.