The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If I Receive a "Right To Be Forgotten" Request From A Client Who Is An Individual With A Current Contract For A Product Or Service What Do I Do?
Answer: It is important to understand that under the GDPR the “right to be forgotten” is not absolute and only applies in six limited situations, e.g. where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed or where the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing. Both situations do not apply where the personal data provided by an individual for the performance of a contract is still necessary for the performance of that contract. "Contractual necessity" constitutes a legal ground for processing personal data under Article 6(1)(b) of the GDPR.
As a result, if you receive a right to be forgotten request from a current contracting client you should review if and to what extent you still need the individual’s personal data for the performance of the current contract with the individual. If this is still the case, you have the right to decline the client’s request.