Customer asking for data to be removed?

[simonukbf38468]

I've not had to deal with this before and not sure what action I should take.

A long standing business customer has recently cancelled their account with my business and is asking for all information about him and his business to be deleted. I guess this is a GDPR thing?

In 20 years of running my business nobody has ever asked for this before.

I feel I should retain the data for accounting reasons - eg if he comes does a credit card chargeback in 3 months time. How will deleting his invoices affect my end of year accounting? It's also useful to have the information to hand for other reasons (helpful for my poor memory!)

I've offered to remove his card payment details, etc.

Any help hugely appreciated.

 

[cjd]

He has a right to ask and you must delete it but you can keep data that you need to run your business effectively - but no longer than necessary. If you need some data for your accounts or other real reason that's fine, but keeping his hat size would not be (for example).

We delete all data automatically after 12 months of account closure and some that is not needed by us (or the regulator) on request. It's not a common request and sometimes you wonder what's going on, so make sure you've been paid for everything ;-)

You should really have a privacy statement for this alongside your T&Cs.

https://ico.org.uk/your-data-matters/your-right-to-get-your-data-deleted/

 

[simonukbf38468]

Thanks cjd - that's explained perfectly. I'll have a chat with him and see if he's happy with that.

 

[MBE2017]

I had a client request this, I pointed out that should he ever wish to ever query anything, without the data my company would struggle to offer the same level of service he had come to expect up to that point. After considering things he withdrew his request.

 

[cjd]

We've had customers come back after their data has been deleted and ask for it to be reinstated. Er, how?

Customers eh? Bless 'em

 

[gpietersz]

You can keep information about organisations, its only personal data about an identifiable idividual that has to be removed.

@cjd mentions automatic deletion You are supposed to delete any personal data which is out of date or no longer required for a lawful purpose.

 

[Lucan Unlordly]

You can keep information about organisations, its only personal data about an identifiable idividual that has to be removed.

What if that information is important for the integrity of the website, for example sporting record sites of which there are many?

 

[cjd]

What if that information is important for the integrity of the website, for example sporting record sites of which there are many?

Sporting records would be public not private data.

 

[Lucan Unlordly]

Sporting records would be public not private data.

The records I'm thinking of include dates of birth and full names as well. Essential to ensure that returning competitors do not conveniently forget their earlier achievements in order to gain an unfair - and unsafe - advantage. Viewable by password privileged subscribers for a set period of time and stored for a lot longer in order to cross reference against should the need arise.

 

[cjd]

The records I'm thinking of include dates of birth and full names as well.

That's pretty plainly personal information. If you were given that by them and they ask you to remove it, in my opinion you have to. All other things being equal - but see below.

Essential to ensure that returning competitors do not conveniently forget their earlier achievements in order to gain an unfair - and unsafe - advantage. Viewable by password privileged subscribers for a set period of time and stored for a lot longer in order to cross reference against should the need arise.

That may well be a reasonable reason to keep the information, but you need to get professional advice and you need to have a published privacy policy that those that give you the information are fully aware of. Try the ICO, they tend to be very helpful.

 

[simonukbf38468]

This is all really interesting. The data I hold is only business contact information and a list of the products they've bought previously. It seems like it's fine to retain this information for 12 months or so after they cancel.

 

[WaveJumper]

Speaking from experience if you are using, storing etc lots of personal data make sure you have all the correct process's in place you only need one shell we say 'difficult' person who thinks they know the law better than you and you will be pleased that you can reach out and grab those files with the control process's you put in place.

https://ico.org.uk/for-organisation...n-gdpr/key-definitions/what-is-personal-data/

 

[cjd]

This is all really interesting. The data I hold is only business contact information and a list of the products they've bought previously. It seems like it's fine to retain this information for 12 months or so after they cancel.

What's reasonable to keep and for how long depends on the business. You are not allowed to keep data for a random amount of time - our 12 months is based on industry best practice; we need to keep calling records and IP addresses etc for legal and regulatory reasons.

 

[Chris Ashdown]

Whilst you are legally obliged to keep financial records for I think 6 years, that does not stop you deleting emails, contacts, phone numbers and so on from your current computer records. although i would keep copies of any contracts
Just my thoughts

 

[Paul Norman]

We do, infrequently, get this.

What is needed for accounting purposes is minimal, and how long you must keep it is business specific.

We just comply by removing them from our data base. Of course, someone in the archives there might be in invoice with their address on it still.

 

[Lucan Unlordly]

That's pretty plainly personal information. If you were given that by them and they ask you to remove it, in my opinion you have to. All other things being equal - but see below.

What's reasonable to keep and for how long depends on the business. You are not allowed to keep data for a random amount of time - our 12 months is based on industry best practice; we need to keep calling records and IP addresses etc for legal and regulatory reasons.

Our situation is one of fair play and 'insurance' in order to safeguard competitors. Whilst we have no liability in this respect as any information we provide comes without guarantees, as with any insurance, historical evidence is often useful.

 

[tony84]

I have only had one customer come back and ask for data be deleted.
We refused. The reason for that is insurance and compliance purposes. A customer can complain about a mortgage miss sale for decades. In order to defend myself against a complaint I need all the data.

You can refuse but there needs to be a valid reason. Insurance, legal, accounting etc.

 

[Deleted member 59730]

We kept sales data for years after a customer left us. This was data related to specific shops. Chances were that a few years down the line a new owner would want to know what a previous owner had achieved with our products. As all this data was in instantly recoverable form, ie IRF. all we had to do was extract an index card from a folder. No computers or deletion needed.