GDPR for Advisers
January 2018
Deleting personal data – yes or no?
The question of whether a firm is required to delete personal data, or restrict its processing, is addressed in the GDPR and relates in part to the data controller’s basis for processing the personal data. It will be necessary for a firm to assess each request on its facts.
At least one of six criteria must be met for a data controller to lawfully process a data subject’s personal data. Importantly, a data controller must understand what condition it is relying on, since the conditions come into play in the context of how a data controller responds to a request to delete or restrict the processing of the personal data.