Hi, I work for a cloud hosting provider, and I have a question related to the right of erasure. Our users rent server space from us, and upload their own data to the servers to complete tasks. We do not directly collect this data from them, but we do take necessary measures to backup their data and to ensure they are protected against data loss while they are paying for the services. So we have two data stores: the customer's server account, and the backup of the customer's server account. Under the GDPR, are we obligated to erase this data if a customer requests it? We did not explicitly request this data from the customer, and we do not process it in any way, other than preserving the data on the server and backups.
As a cloud hosting provider, according to article 28 GDPR, Processor, you should act as a Data Processor. In this case, the data subjects who have personal data on your servers on behalf of your customers must exercise their right to delete to the data controllers, (your customers), per Art 17 (Right to erasure) para 1: "The data subject shall have the right to obtain from the controller the erasure of personal data". You, as a Data Processor, if you receive a deletion request from a data subject, you should either forward the request to the right customer or inform the data subject that they should exercise their right towards the respective data controller.
However, if one of your business customers request you to delete the personal data they are accountable for, you should comply with this request, because they act as a data controller, per Art 28 para 3 (e): "taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights". Regarding data from the backups, that data is deleted anyway after a while.
We are preparing a Live Virtual Training around How to handle a Data Subject Request according to GDPR, stay tuned for the announcements!
Please explore the following links to find more details: