Iubenda logo
Start generating

Documentation

Table of Contents

How to Prove You Honored the Right to Be Forgotten

What is the Right to Be Forgotten under the GDPR?

Under the GDPR, data subjects can request data controllers to erase all the personal data they’ve collected about them. This is the GDPR right to be forgotten (or right to erasure).

As a data controller, you may be wondering: How can you prove to data subjects that you’ve fulfilled their request?

right to be forgotten gdpr

How to prove you honored the Right to Be Forgotten (GDPR)

The answer to this is is a bit abstract, but essentially the protections offered by the GDPR relate to “personal data” which is defined under the Regulation as data that makes it possible to directly or indirectly identify a natural person.

So in the case where a user has exercised the Right to be Forgotten (in regards to all of their data), that user’s personal data would technically no longer exist on your systems and as such the user would no longer be “identifiable” by you or your systems.

Article 12 of the GDPR states:

The controller shall facilitate the exercise of data subject rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on the request of the data subject for exercising his or her rights under Articles 15 to 22, unless the controller demonstrates that it is not in a position to identify the data subject.

What does this mean?

Data controllers are exempt from the fulfillment of “Users’ Rights”, where the data subject cannot be identified — as in case where all of the user’s personal data is removed from your systems in the fulfillment of the initial request.

In this situation, there would be no possibility or need to “provide proof” of something that no longer exists in relation to an identifiable person.

In practical terms, the best way to handle such a request would be to clearly inform the user (at the time of the initial request) that in fulfilling the request, all their data will be removed and that it would therefore be impossible for them to exercise any further rights in regards to this data as the data will no longer exist on your systems.

Another required (in most cases) and practical way of maintaining proof of your overall compliance is to maintain valid records in regards to your processing activities and acquisition of consent (where applicable). This way, you are better equipped to prove (to the Authority or otherwise) that you have systems in place to facilitate the fulfillment of the User’s Rights, even if the data in question is no longer available.

How iubenda can help

Register of Data Processing Activities

Meeting GDPR regulations can be a technical challenge to implement in practical terms. This is especially true for your register of data processing activities. In order to be compliant, you must be able to keep track of and describe:

  • which data you collect;
  • for which purposes it was collected;
  • the legal basis for processing;
  • data retention policy for each processing activity;
  • the parties involved (both inside and outside your organization);
  • security measures;
  • data transfer outside of the EU, if any; and
  • other related details which may apply company-wide, including data of employees.

Our solution helps you to easily record and manage all the data processing activity within your organization so that you can easily comply with requirements and meet your legal obligations. It allows you to create records of processing activity: add processing activities from 1700+ pre-made options, divide them by area (sub-divisions within which data processing activities are the same), assign processors and other member roles, and to document legal bases and other GDPR-required records.

Please note: As mentioned in this guide, full and extensive records of processing are typically required for organizations that handle “special categories of data” or have more than 250 employees, however there are some record-keeping requirements — such as which data you collect, its purpose, all parties involved in its processing and the data retention period — which are mandatory for everyone. Additionally, even though the GDPR is a common reason to put more effort into your register of data processing activities, our tool is not exclusively made for application under the GDPR. It can also be used for all your data processing activties in general, even by companies who do not have any users/customers within the EU.

👉 For a list of the full features of the Register of Data Processing Activities, click here or read the guide here.

Managing consent and maintaining detailed records related to it

In order to comply with privacy laws, especially the GDPR, companies need to store proof of consent so that they can demonstrate that consent was collected. These records must show:

  • when consent was provided;
  • who provided the consent;
  • what their preferences were at the time of the collection;
  • which legal or privacy notice they were presented with at the time of the consent collection; and
  • which consent collection form they were presented with at the time of the collection.

Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for each of your users. It allows you to track every aspect of consent (including the legal or privacy notice and the consent form that the user was presented with at the time of consent collection) and the related preferences expressed by the user.

To use, simply activate the Consent Database and get the API key, then install via HTTP API or JS widget and you’re done; you’ll be able to retrieve consents at any time and keep them updated.

👉 For a list of the full features of the Consent Database click here or read the guide here.

Fulfill your users’ request easily

Start generating

Read also