Written by Raymond Faber and Cyril Pierre-Beausse - Avocats à la Cour

Published on 16.10.2018 - Paperjam

For 23 years, European data protection rules have prohibited the retention of personal data for longer than necessary. The GDPR confirms this principle and deploys an arsenal of prerogatives allowing the persons concerned to benefit from a "right to be forgotten".

Today, as in the past, there can be no lawful processing of personal data without a legitimate purpose. But every purpose eventually comes to an end, and every personal data is "dead". To continue to process personal data beyond the expiration of this purpose is illegitimate and therefore illegal. When the time comes, the data controller must therefore stop actively processing or using personal data when the operational needs of the processing have come to an end, and then destroy it as soon as possible when the law no longer obliges him to keep it or requires its deletion. In between these two steps, it would be good practice to put the data in a safe place that is difficult to access (physically or electronically) and out of reach of malicious persons.

Personal data, I keep you a little..., a lot..., forever...? Damn, the law does not say anything!

How long can I keep personal data before I have to destroy it?

The simplest situation is when the law provides for a data retention period or prescription, as is the case, for example, for KYC ("know your customer") procedures, 5 years (or even 10 years), the commercial prescription, 10 years, etc. Beyond these legal deadlines, the RGPD requires setting and documenting a reasonable, justified and proportionate retention where, precisely, the law says nothing. Once this period - legal or not - has expired, the personal data should be automatically destroyed if the data controller cannot rely on one of the limited exceptions provided for in the European regulation (for example, if the data is necessary for the establishment, exercise or defence of legal claims).

But does the data really have to be destroyed to comply with the GDPR? In other words, can I as a data controller keep the data without violating this text? The answer is yes, you just have to "anonymize" the data by making sure that any link between the data and the natural person is irretrievably destroyed, and that the latter can never be re-identified from the remaining data. Anonymized data is not considered as personal data, unlike pseudonymized data, which a data controller will always be able to link to a natural person. Beware, the anonymization of personal data is not an easy task!

The right to be forgotten, in practice, above all an obligation of erasure for the data controller...

The right to be forgotten now allows data subjects to request the destruction of data whose processing was based on their consent, once it has been withdrawn, or if they have exercised their right to object to the processing.

Beyond that, this right can also be used by data subjects to demand the destruction of data that the data controller should have already destroyed or anonymized spontaneously, once the purpose of their processing is completed. And this can be done long before a request is made by the individual. In reality, a request for the right to be forgotten on such a basis simply establishes that unlawful processing has taken place between the expiry of the purpose of the processing and the data subject's request.

Furthermore, when the data controller has made the personal data public (in particular by publishing it on the Internet), the GDPR obliges him to take reasonable steps to inform other data controllers who would process this personal data of the data subject's request for erasure, taking into account the available technologies and the costs of implementation. It is therefore an obligation of means, taking into account the reality on the ground that personal data is often transferred to a multitude of actors making it difficult or impossible to control the "end-to-end" of the transferred data.

A change of mindset is needed

A common reflex is to keep all possible data (including personal data) for an unlimited period of time in the belief that a complete archive protects the organization by enabling it to respond to any request. European legislation has long required the destruction of personal data that has become obsolete. The RGPD confirms this principle, attaches huge penalties and gives new rights to data subjects. From now on, it is much more dangerous for an organization to keep data for too long than to destroy it prematurely! A change of mindset is necessary...