Link To GDPR Right To Erasure

GDPR Lawful Basis For Processing

ICO Data Protection Principle 6 Rights Preventing Direct Marketing


Lawful Basis For Processing: Contract, Legitimate Interests & Consent

The GDPR states: “The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.” Our interpretation is that users are likely to fall into 'Contract' for processing orders, 'Legitimate Interests' for collecting CRM data (e.g. sales prospecting, customer complaints) and 'Consent' for marketing purposes.


In our opinion, erasure should not apply to users whose data is required for contract or legitimate interests such as retaining orders placed on the system, wishlists, quotations etc. In general that would be your prospects, customers and people interacting with the site who are likely to enter into a purchase. On the other hand, erasure would apply to users captured for marketing purposes e.g. they have registered to receive newsletters or have completed forms on the site such as contact or download forms. 


Right To Erasure Requests

In your privacy policy, provide a way for individuals to contact you to request deletion. This will probably be via an email address, or you may choose to set up a form on your site to capture the request. 


Finding Where A User Exists In The System

You can use the GDPR User Search program to find where a user exists in the system. This checks through the various places in the system where the user may have entered their details including forms.


Deleting A User & Their Form Records

Once you have evaluated and accepted the request, an individual's user record can be deleted by the administrator in User Manager.

Search and select the user in User Manager, you can see whether they have placed orders or been sent quotes under the relevant tabs and also click on the Forms tab which lists all their form responses, then either batch delete all responses for a form or delete individual responses.


Audit / Suppression Lists & Re-adding Or Importing Data

You may need to keep your own record that you have received and actioned the request as part of your company’s procedures along with any other systems that you have had to delete their data from, and to add the user to your suppression list. It is important that whenever you add or import user data, you do not re-add someone who has already been deleted by checking whether they are on your suppression list.


Retaining A User But Restricting Data Processing

If you decide you need to keep a user record in the system, such as for maintaining orders they have placed on the system for legal record-keeping, you may instead set them to have restricted processing to limit the contact they receive from you.


Disclaimer - take independent advice - click to read more