Whatever type of business you have, it is quite likely that you process personal data. Just think of your administration, including the customer base and/or personnel files. You may make regular backups of your administration to prevent data loss. Of course, that backup also contains personal data. But what if a data subject wants to exercise his diritto all oblio.
The right to be forgotten: what about the backup of personal data?
Whatever type of business you have, it is quite likely that you process personal data. Just think of your administration, including the customer base and/or personnel files. You may make regular backups of your administration to prevent data loss. Of course, that backup also contains personal data. But what if a data subject wants to exercise his right to be forgot.
The right to be forgot
Pursuant to Article 17 of the General Data Protection Regulation (hereinafter: ‘ GDPR ‘), a data subject has ‘the right to be forgot’. This means that the data subject may request an organization (the ‘controller’) to erase their personal data. But how does that work in practice, that right to be forgot?
In most cases, a data subject will submit a removal request to your organization by letter or e-mail. You must then inform the data subject about what you have done with the request within one month of receiving that request. You have two options: you have to delete the personal data or you refuse the request, for example because the processing of the personal data is still necessary for the execution of an agreement.
If you need to delete the personal data, the following problem may arise. You have not only included the personal data of the relevant data subject in your original administration, but also in the backup(s). Removing the personal data from the original records will not be such a problem. It may be different with the backup. But should the personal data actually be remove from the backup?
The answer to that question is nuanced. The right to be forgot also applies to backups. If a data subject invokes the right to be forgot, his personal data must in principle be delete as soon as possible, including from the backup. But what is that, as soon as possible? And should the personal data actually be remove from the backup, or is there another solution.
How can you handle backups in GDPR compliance?
It is important that you first make an inventory of which personal data you are backing up. You may only process personal data that are necessary for the purpose of your processing and you must also be able to demonstrate that the processing of this personal data is necessary.
In addition, it is important that you regularly make a (new) backup, systematically removing the previous backup. By making a new backup and systematically deleting the previous backup, you comply – albeit with some delay – to the request of the person concern to be forgot.
Also read: oblio immagini
In addition, you must clearly inform those involved (for example your customers) about the additional retention period that you use for backups. Suppose you keep the personal data of your customers in principle 3 years after the last agreement concluded and that you make a monthly backup.
Then it is very possible that you actually store the personal data of a customer for 3 years plus 1 month. You must inform your customers about this, for example in your privacy statement. Finally, it is important that you set up the backup system in such a way that you can also implement (assigned) removal requests from those involved in that system.
Other words: if – for whatever reason – you have to restore a backup of your administration. As a result of which the personal data that you had deleted will appear in your ‘live’ administration again. You must delete it again. Summary: the personal data does not have to be remove from the backup immediately. As long as the previous backup is delete when a new backup is made.
In addition, you should be alert when you need to restore the backup. That case, the personal data of the data subjects who have request deletion must be (again) delete. In that regard it is advisable to draw up a central document within your organization. In which the (assign) removal request are kept up to date. Should a situation arise in which a backup is restore. That document can be consult to see which personal data must be remove (again).
Also read: sharenting