What is your take and solution to this problem? What formulations could I include in our GDPR policies, and in which documents (policies, notices, schedules etc) in the toolkit should I include formulations in order to be compliant?
Let begin with some considerations about the right to be forgotten as set up in EU GDPR “article 17 Right to erasure (‘right to be forgotten’)” https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
You must comply with an erasure request where:
- the data subject ha s objected to the processing and (other than in relation to objections to direct marketing) there are no overriding legitimate interests to justify that processing;
- the personal data is no longer needed for the purpose for which it was collected or processed;
- the individual withdraws consent and there are no other grounds for the processing;
- the personal data is unlawfully processed ;
- there is a legal obligation under Union or Member State law to erase the personal data; or
- personal data was processed in connection with an online service offered to a child.
You do not need to comply if the processing is:
- necessary for rights of freedom of expression or information;
- for compliance with a legal obligation under Union or Member State law;
- in the public interest or carried out by an official authority;
- for public interest in the area of public health;
- for archiving or research; or
- for legal claims.
So before considering erasing the data, you should perform an assessment based on the information provided above.
However, if you find yourself in the situation where the erasure request is valid you need to comply with it or prove that you did your best to comply regardless if the data is stored locally or elsewhere.
You can learn more about data subject rights by going through our article “8 data subject rights according to GDPR” https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/