The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If I receive a right to be forgotten request from an employee do I have to honor it?
Answer: Not necessarily. The GDPR indicates that people have a “right to be forgotten” in some situations, but that right is not absolute. Rather it only exists in the following six situations – many of which do not apply to personal data collected as part of an employment relationship.
- Companies must delete data upon request, if data is no longer necessary. If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.1 If an employee, or a former employee, makes a right to be forgotten request therefore a company should begin by asking (1) why was the data collected in the first place, and (2) is the data needed any longer for that purpose.
- Companies must delete data upon request, if data was processed based solely on consent. The GDPR allows companies to process data in six different types of situations.2 While one of those situations is where a person has “given consent” to the processing, the Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has taken the position that “for the majority of . . . data processing at work, the legal basis cannot and should not be the consent of the employees” because of the perceived unequal bargaining position between an employer and an employee.3 As consent is typically not the sole basis for which an employer processes data, an employer typically is not required to honor a right to be forgotten request simply because an employee purports to be withdrawing his or her consent.
- Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a company can process data is to further the company’s “legitimate interest.” When processing is based upon a company’s legitimate interest, an employee has a right to request deletion unless the employer’s or a third party’s interest is demonstrably “overriding.”4 In the employment context most processing is not based upon the controller’s legitimate interest, but rather the performance of the employer’s obligations to the employee or legal requirements to collect information. That said, if a company did collect information for its legitimate interest (g., shirt size of employees in order to provide jerseys for an office softball team), the data subjects request that the information be deleted would typically not be overridden by the company’s interest in the information.
- Companies must delete data upon request if data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.5 Assuming that an employer is lawfully processing data relating to an employee, or former employee, this situation may have little applicability.
- Companies must delete data upon request if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”6 If an employer is required to erase data pursuant to another member state law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
- Companies must delete data upon request if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.7 Even if your organization employs children under the age of 16, it is unlikely that the situation would be characterized as the offering of an information society service. As a result, this situation does not apply to most employers.
Even if one of the situations described above is present, a company does not always need to honor a right to be forgotten request. For example, a company can choose to decline such a request if honoring it would interfere with a legal obligation imposed on the company to maintain employee data, or if an employee’s data is needed to establish, exercise, or defend a legal claim.