Right to Erasure (RTBF) from Backups
So the infamous 'Right to be Forgotten' (RTBF), also called 'Right to Erasure' is now law. It is commonly thought to be an innovation of GDPR, but in fact this has been the law in the EU since the Google Spain decision in 2014.
What does it mean to delete ('erase') information about a data subject? Is deleting the subject’s data from our main app or program database sufficient or must the data be deleted from all systems, databases and backups? And how are we to delete data from backups that may be stored for years?
GDPR's Article 17 does not specifically relate to backups, and neither do the Recitals. We turn to the guidance notes of the UK's ICO, which gives helpful guidance on matters of privacy rules. The ICO states “If a valid erasure request is received and no exemption applies then you will have to take steps to ensure erasure from backup systems as well as live systems… It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten. The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. You must ensure that you do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule.”
In short, in the first instance, an RTBF request should be executed by putting the data 'beyond use'. Over time, reasonable time, the data must also be erased from backups.
Regarding the question of how to treat a person’s information stored in backups held over the years, this is uniquely about RTBF. More generally, Article 5 of GDPR provides general principles relating to processing of personal data. Subsection (c) of that article states that “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”. Recital 39 adds “This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum… In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.”
So even in the absence of any requests by data subjects for their data to be deleted, one will have to implement a suitable system to delete all personal data when it is no longer necessary. In practice, this means that backups of personal data should not be kept forever. Rather they should be automatically overwritten after a suitable period of time. Of course, the suitable periods of data retention will depend on the purposes of the processing, the industry, the exact jurisdiction etc.
The Danish data protection authority has issued an opinion on RTBF in backups, and advised that where erasure from the backup is feasible, it should be undertaken (the boundaries of that feasibility need to be examined on a case by case basis). Where erasing specific personal data isn't feasible, the data controller must at least ensure that if and when the backup is used to restore data, that the specific data of the RTBF request, not be restored.
Assuming that backups are deleted at regular intervals as required by Article 5, the way to deal with a request for erasure would then be to delete that person’s personal data from all live systems and let them know that their personal data will be permanently deleted from all backups according to the organization's backup and overwriting schedule, or more generally, its data retention policy if it has one. It's also advisable to keep a verifiable, non-identifiable log of RTBF requests.
DISCLAIMER: THIS IS NOT LEGAL ADVICE, THESE ARE OUR MUSINGS, BASED ON OUR EXPERIENCE WITH OUR CLIENTS AND COLLEAGUES, AND WERE ORIGINALLY SHARED OR WRITTEN IN A VERY SPECIFIC CONTEXT. YOU CAN DRAW INSPIRATION, AND TELL US IF YOU HAVE INTERESTING COMMENTS, BUT WE HAVE NO RESPONSIBILITY FOR THESE OPINIONS VIS-A-VIS OUR READERS.