The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: If I Receive A Right To Be Forgotten Request From A Former Employee That Was Terminated For Cause, Do I Have to Honor It?
Answer: Not necessarily.
The GDPR indicates that people have a “right to be forgotten” only in the following six situations:
Companies must delete data upon request, if data is no longer necessary. If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.1 In situations in which an employee was terminated for cause, some of the information surrounding the termination may still be necessary for the company and, as a result, may be kept. For example, if an employee was terminated for stealing or destroying company property, the company may need to keep a record of the incident for insurance purposes or in order for it to document the whereabouts of the last item. Other information, however, that is unrelated to the reason for termination may no longer be needed. For example, it is unlikely that a company has a need for the emergency contact information of a terminated employee.
Companies must delete data upon request if data was processed based solely on consent. The GDPR allows companies to process data based on six alternate lawful grounds.2 While one of those situations is where a person has “given consent” to the processing, the Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has taken the position that “for the majority of . . . data processing at work, the legal basis cannot and should not be the consent of the employees” because of the unequal bargaining position between an employer and an employee.3 As consent is typically not the sole basis for which an employer processes data, an employer typically is not required to honor a right to be forgotten request simply because an employee purports to be withdrawing his or her consent.
Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a company can process data is to further the company’s “legitimate interest.” When processing is based upon a company’s legitimate interest, an employee has a right to request deletion unless the employer’s or a third party’s interest is demonstrably “overriding.”4 In the employment context if a company kept a list of individuals that were precluded from being re-hired based upon past performance issues, and a terminated employee submitted a request to be forgotten from that list, the company would likely find that its interest in recording future employment eligibility is not overridden by the employee’s interest in having his personal data removed.
Companies must delete data upon request if data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.5 Assuming that an employer lawfully processed data relating to the terminated employee this situation would have no applicability.
Companies must delete data upon request if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”6 If an employer is required to erase data concerning a terminated employee pursuant to another member state law then it is unlikely that the company has any information left to be “forgotten.”
Companies must delete data upon request if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.7 Even if your organization employs children under the age of 16, it is unlikely that it would be characterized as an information society service. As a result, this situation does not apply to most employers.
If one of the above situations is not present, a company does not need to honor a terminated employee’s right to be forgotten request.
Even if one of the situations described above is present, a company still may not need to honor a right to be forgotten request from a terminated employee. Specifically the GDPR provides that a company may refuse a right to be forgotten request if the continued processing of the information is necessary “for the establishment, exercise, or defence of legal claims.”8 To the extent that the conduct of a terminated employee might warrant legal action (e.g., lawsuit to recover property from theft) or to the extent that the employer believes that there is a reasonable likelihood that the employee may bring suit for wrongful termination and the information is needed to help establish a defense, the request can be denied.
If you would like to subscribe to the BCLP distribution list for future articles email Kiara.Akpore@bryancave.com with the subject line:OPT IN DATA.
This article is an excerpt of a book scheduled for publication in the fall of 2018 on the 150 most frequently asked questions concerning the GDPR. If you would like to order/pre-order when available please email David.Zetoony@bryancave.comwith the subject line:GDPR FAQ ORDER INFO.
GDPR, Article 17(1)(a).
GDPR, Article 6(1)(a)-(f).
GDPR, Article 6(1)(a). Article 29 Working Party, WP249: Opinion 2/2017 on data processing at work at 6 (8 June 2017).