|Posted: 2019-06-26 13:51|
Right to be forgotten. How do we delete a person record, and not re-add them if we have a data purchase?
|Posted: Thu, 27.06.2019 - 11:12|
We do not provide GDPR legal advice, as the data controller it is your responsibility to design your processes to comply with GDPR. However we can make the following comment, if one of your data subjects exercises their Right to be Forgotten with your company, part of your process should be to check where you sourced their data from. If the data was provided via a third party (e.g. data purchase) – you should also inform the Data Subject of this source of data and suggest that they contact the third party to exercise their right to be forgotten with them as well. Otherwise next time you get data from this data source, you will receive the data subjects data back again! You would need to take advice on whether you can inform the third party of the request, or whether you can extend the timeline (check the ICO guidelines).
Don’t forget if you have shared the data with a third party, you also need to inform that third party of the request to be forgotten (https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/#ib4)