With the entry into force of the GDPR, any person has the right to have personal data relating to him or herself deleted immediately if the data collected are no longer needed for the purposes stated, if the data subject withdraws his or her consent to the processing or objects to the processing of his or her data or if the personal data have been unlawfully processed (see Art. 17 GDPR). What does this mean for your company?
It means that people may make inquiries to your company and demand their right to deletion, correction and information. The request can be made informally, even verbally, and must be dealt with immediately, at the latest within one month of the request. The deadline can be extended by two months if the processing of the request is complex and a large number of requests have to be processed. In this case, however, the person responsible must inform the applicant of the reasons for the delay.
In order to process the application properly, all data such as name, telephone number, e-mail address, contact details, address, correspondence, invoices, contracts, etc. must be located. This can sometimes be very complex, for example if the data is stored independently in several departments and different systems. Especially for large companies it can be very difficult to find all the required data within the legal deadline, as there are often several business locations. A manual processing of the inquiry is extremely time- and cost-intensive and holds the risk that with a large number of inquiries at the same time bottlenecks can develop.
The deletion has to take place free of charge. A fee may only be charged if it is manifestly unfounded or, in particular, due to the frequency with which excessive applications are made.
Following the cancellation procedure, the person concerned shall be informed in writing of the measure taken. The notification must be compact, transparent and comprehensible to the data subject. Electronic media such as e-mail may be used if the application has been submitted electronically. If expressly requested, however, the averaging must be transmitted on paper. Verbal communication is only permissible if the identity of the person has been established beyond doubt.
Violations of these rights could result in fines of up to EUR 20 million or 4% of the total annual worldwide sales generated in the previous fiscal year.