Discussed many times and yet not less important: In order for processing to be lawful, personal data should be processed on the basis of the consent of the data subject concerned or some other legitimate basis. The same applies if the legal basis ceases to exist. In this case, too, processing must be prevented aswell and the data removed.
In addition to that, pursuant to Art. 17 GDPR data subjects do have the right, if the requirements are met, to demand that the controller erases their personal data, prohibited that this does not conflict with any exceptions pursuant to Art. 17 (3) GDPR. If a claim exists, the data must be deleted entirely and it must be made impossible to restore it.
On the other hand, Article 32 GDPR stipulates the obligation of the controller to ensure the security of processing by means of appropriate technical and organisational measures. This concretizes the principle of integrity and confidentiality (Article 5 (1) (f) GDPR), according to which personal data must be processed in a manner that ensures protection against loss, destruction or damage. The controller is thus obliged to ensure the availability and recoverability of personal data, Art. 32 (1) (b-c) GDPR.
Backups are appropriate measures for ensuring availability and recoverability in the short to medium term. According to the “state of the art”, backups should be integer and audit-proof, and should enable an error-free system in the event of a recovery.
But how can this go hand in hand with the requirement for erasure? It is in the nature and purpose of backups that usually they do not provide a deletion or filtering option. A targeted deletion of specific data is therefore almost impossible. However, in order to meet the requirements of Art. 12 and Art. 17 GDPR, the personal data would have to be deleted at the latest after one month in the case of a legitimate claim.
What to do?
Consequently, the question arises as to how the standards relate to each other, as well as the practical problem of how to deal with a request for erasure from a data subject.
This view is also held by the ICO (Information commissioner’s office), the British supervisory authority. In its statement, the ICO pointed out that deleting personal data is not always feasible and that putting information “beyond use” is an option that should be kept in mind. This would be the case, for example, if data is deleted but still existed somewhere (e.g., in the case of shredded documents). Or the data would have to be deleted, but this is not feasible for technical reasons without damaging or removing other data. This could also restrict the right to availability (Art. 32(1) (b-c) GDPR) of other data subjects.
The ICO held that to put data “beyond use” can be legitimate provided the following requirements are met by the data controller:
- is not able, or will not attempt, to use the personal data to form any decision in respect of any individual or in a manner that affects the individual in any way;
- does not give any other organisation access to the personal data;
- surrounds the personal data with appropriate technical and organisational security; and
- commits to permanent deletion of the information if, or when, this becomes possible.
Ultimately, one can argue that the obligation to implement adequate security measures in the form of a backup is a legal obligation and therefore, the exception of Art. 17 (3) (b) GDPR can be applicable where deletion of a single data set from a backup is technically not feasible and contravene the purpose of it.