Employer (e.g., xxx) sends us contact information for every employee globally. Occasionally, a user requests to opt out of our system and prefers we forget them. However, information about them is still delivered everyday from the employer. What are the options for us to handle the privacy of the individual while handling the requests of our customer (the individual's employer)?
My understanding is that, in the case you presented you are acting as a processor because it is another company (controller) that provides you with the information about the data subjects and also decides what kind of processing activities you should perform.
If this is the case, then the data subject requests, if you receive them, should be directed to the data controller that will analyze them and instruct you how to proceed further.
I want to be clear on this - especially regarding the right to be forgotten. In our case, the customer sends us a list of employees with extensive information. We provide guidelines for the employees to go online, perform evaluations, and enter extensive information on themselves and others. In addition, they may manually add additional people - such as contractors or their customers.
At some point, all of that information is put into reports and stored on our system. So let's say that employee A adds contractor B to evaluate him in a 360 degree evaluation. We generate a report and in the report is a list of reviewers including contractor B. Can we effectively ignore any request by contractor B to be erased?
As mentioned previously my understanding is that you are acting as a processor and performing certain evaluation services on behalf of various controllers. In this case all data subject requests should be directed to the respective controllers.
This doesn't mean that you are ignoring the requests but you are directing them to the controllers so that they can evaluate and decide how to deal with them. If the controllers will consider the request grounded they will instruction you on how to proceed.
When receiving such requests from the data subjects you should just mention that you cannot evaluate their request but you will send it to the data controller.