Retention of data with personal elements

Discussion in 'General Data Protection Regulation (GDPR) Forum' started by Alex Lake, Feb 5, 2018.

  1. Alex Lake

    Alex Lake UKBF Newcomer Free Member

    1 0
    OK, so we're a telecoms company and there are a couple of things I'm unsure about:

    1) Call records - we keep these for a long time for the purposes of allowing customers to see their records, and also for settlement with our partner telcos (billing, etc). Also, we do get DPA requests from the Police when they think one of our numbers has been involved in fraud, etc.

    2) Payment records - our customers can pay by card, direct debit, cash at the bank, bank transfer, etc. We retain this data for very similar reasons to those above.

    If a customer says they want us to forget them, are we entitled to say "Yes, but we need to hold on to them for X months for the purpose of zzzzzz"?

    Also, if a customer is identified as being part of a fraud, are they allowed to force us to forget them, so that they can do it again?
    Posted: Feb 5, 2018 By: Alex Lake Member since: Feb 5, 2018
  2. DavidJWSmith

    DavidJWSmith UKBF Newcomer Free Member

    14 1
    The relationship between data subject rights, your rights, and other legal obligations is complex, but it means that the data subject rights cannot be absolute.

    As the data controller, you can define the retention period for any personal data you process, however, you may be called to answer for the decisions you make. You will notice that the legal bases for processing in Article 6 of GDPR, with the exception of consent, all start with he phrase 'necessary for ...'. Furthermore, it is the responsibility of the data controller to 'demonstrate they have complied with the regulation'.

    Taken together, these help data controllers arrive at sensible decisions for data retention. Some examples: HMRC requires organisations to keep financial records for six complete financial years. A suitable retention period for this data would be 7 years. Information concerning employees who have handled hazardous waste may be need to be kept for as long as it is plausible a claim may be made against the organisation. How long is that, one lifetime? What about if the problem manifests itself in n-th generations. Perhaps the retention period for this data should be 200 years, or even longer.

    The point of this is to show that different data have different durations for when it might be 'necessary' to process them. You may have obligations to process (perhaps retain) personal data which conflict with the data subject rights. You may not be able to grant a request to be forgotten, but if this is the case you will need to explain this to the data subject together with the reasoning, and potentially be prepared to answer for your decision to the appropriate authorities.

    Also, where people are unsubscribing from communication, such as direct marketing, the right to erasure applies. However, the data subject will probably also state a desire not to receive direct marketing in the future. To be clear, I mean that it is the data subject who should not be sent direct marketing, not the 'data record' you will delete. This means you could plausibly re-discover a data subject who has requested not to receive direct marketing.

    You should suppress your direct marketing against your list of people who have said they do not want to receive it. But to have that list, you must store (process) the personal data, that same personal data they requested you erase! Clearly you have a 'legal obligation' to prevent direct marketing to these people, so you should retain their data, but only for direct marketing suppression. You will need to explain this to data subjects.
    Posted: Feb 10, 2018 By: DavidJWSmith Member since: Feb 6, 2018