Guest user Created: Mar 14, 2018 Last commented: Mar 14, 2018

The GDPR “right to be forgotten”

Our company acts as data processor in the social care/health care sector in the UK/Ireland. Does the Data Privacy Act obligation of retention of data get overruled by the GDPR “right to be forgotten” – for example, if a social care services provider are retaining a person’s data for 10 years in line with the UK DPA 1988 and the person in June says they want to be forgotten, then what is the legal advice in the case of healthcare data for data controllers/data processors?

0 0

Assign topic to the user

Select user

Expert

Andrei Hanganu Mar 14, 2018

Answer:

The right to be forgotten is not an absolute right that the data subject has in relation with its data. A controller does not need to comply with such a request the processing is:
- necessary for rights of freedom of expression or information;
- for compliance with a legal obligation under Union or Member State law;
- in the public interest or carried out by an official authority;
- for public interest in the area of public health;
- for archiving or research;
- for legal claims.

So, as you can see if there is a legal obligations set forth under Member State law then you need to keep the data even if the data subject requests for the data to be deleted.

For more information about data subject rights you can check out or webinar “Data Subject Rights under the EU GDPR” https://advisera.com/eugdpracademy/webinar/data-subject-rights-under-the-eu-gdpr-free-webinar-on-demand/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Mar 14, 2018

Expert Advice Community