Right of erasure request (right to be forgotten) policy
RIGHT OF ERASURE REQUEST (RIGHT TO BE FORGOTTEN) POLICY
Individuals have the right to request erasure of their personal data in certain circumstances. Our business must comply with the requirements of the General Data Protection Regulations (GDPR) and we must be able to demonstrate compliance to the Information Commissioner’s Office (ICO).
Upon receipt of a request for erasure our internal policy is as follows:
Carl Pote is responsible for the handling of right of erasure requests in our business.
The duties of Carl Pote include but are not limited to:
- Log the receipt and fulfilment of all requests received from a data subject/the person making the request/requestor.
- Acknowledge the request.
- Verify the identity of any person making the request.
- Maintain a database on the volume of requests and compliance against the statutory timescales.
- Verify whether if we are the controller of the data subject’s personal data.
- Check if we are not a controller, but rather a processor. If so, inform the data subject and refer them to the actual controller. This needs to be recorded in writing.
- Where applicable, decide if a request is excessive, unfounded or repetitive and communicate this to the requestor.
- Decide if an exemption applies.
- If a request is submitted in electronic form, any information should preferably be provided by electronic means as well.
Oral or written requests
Right of erasure requests can be made in writing, electronically or verbally.
If a member of staff is in any doubt if a certain situation has given rise to a valid right of erasure, contact Carl Pote by email providing full details of the incident. Staff should do this without delay and certainly within [TWO] business days.
Where a member of staff receives a right of erasure request, they must email the relevant information to Carl Pote without delay and certainly within [two] business days.
How do we verify the requestor’s identity?
If we are in doubt as to the identity of the requestor, you may ask the individual to supply valid evidence to prove their identity.
We may verify the requestor’s identity either through a phone call where we ask questions that only the requestor will know the answers to or by requesting forms of identification.
We accept the following forms of identification:
- Current UK/EEA Passport
- UK Driving Licence
- Financial Statement issued by bank, building society or credit card company
- Utility bill for supply of gas, electric, water or telephone landline]
How to process the request
Our aim is to determine the validity of the erasure request. If the request is not clear, or where if we process a large quantity of information about an individual, the GDPR permits us to ask the individual to specify the information the request relates to. Where this applies, we will proceed with a request for additional information.
We must respond to the data subject within 30 days of receiving the request as valid. This is a requirement under the GDPR.
Any employee, who receives a request from Carl Pote to locate and supply information relating to an erasure request, must make a full exhaustive search of the records which they are responsible for or own. This may include but is not limited to emails (including archived emails and those that have been deleted but are still recoverable), Word documents, spreadsheets, databases, systems, removable media (for example, memory sticks), recordings, paper records in relevant filing systems.
Carl Pote should check whether the erasure request also involves data shared with third parties or online.
If it’s found to be a valid request for erasure we must comply unless an exemption can be applied (see below). Information must be supplied in an intelligible form and we must explain acronyms, codes or complex terms, where relevant.
No charge to comply with the request (with exceptions)
We must fulfill valid requests for erasure free of charge, as per the GDPR rules. However, we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive.
Where applicable, Carl Pote will determine the ‘reasonable fee’ that must be based on our administrative cost incurred by our business.
Excessive, manifestly unfounded or repetitive requests
Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act on the request or charge a reasonable administration fee. Carl Pote will make a decision on this.
Carl Pote must provide information on our decision to the requestor in writing within 30 days and must state how they reached their decision.
As stated we have to respond to a request for erasure within 30 days. If more time is needed to respond to complex requests, an extension of another two months is permissible, provided this is communicated to the data subject in a timely manner and within 30 days.
Where we decide not to take action on the request of the data subject, we need to inform the data subject of this decision without delay and at the latest within 30 days of receipt of the request.
How to handle exemptions?
If a member of staff believes that we have a valid business reason for an exemption, please inform the Carl Pote without delay by email to email@example.com.
Where a requestor is not satisfied with a response to a request, we must manage this as a complaint. We must advise the requestor that if they remain unhappy with the outcome they may complain to the Information Commissioners Office or take legal action against us.
Breaches of this policy by members of staff will be investigated and may result in disciplinary action. Serious breaches of policy may be considered gross misconduct and result in dismissal without notice, or legal action being taken against the relevant member of staff.
Please note: Markel Law owns the copyright in this document. You must not use this document in any way that infringes the intellectual property rights in it. You may download and print this document which you may then use, copy or reproduce for your own internal non-profit making purposes. However, under no circumstances are you permitted to use, copy or reproduce this document with a view to profit or gain. In addition, you must not sell or distribute this document to third parties who are not members of your organisation, whether for monetary payment or otherwise.
This document is intended to serve as general guidance only and does not constitute legal advice. The application and impact of laws can vary widely based on the specific facts involved. This document should not be used as a substitute for consultation with professional legal or other competent advisers. Before making any decision or taking any action, you should consult a Markel Law professional.
In no circumstances will Markel Law LLP, or any company within the Markel Group be liable for any decision made or action taken in reliance on the information contained within this document or for any consequential, special or similar damages, even if advised of the possibility of such damages.