Lawful Basis For Processing: Contract, Legitimate Interests & Consent
The GDPR states: “The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.” Our interpretation is that users are likely to fall into 'Contract' for processing orders, 'Legitimate Interests' for collecting CRM data (e.g. sales prospecting, customer complaints) and 'Consent' for marketing purposes.
In our opinion, erasure should not apply to users whose data is required for contract or legitimate interests such as retaining orders placed on the system, wishlists, quotations etc. In general that would be your prospects, customers and people interacting with the site who are likely to enter into a purchase. On the other hand, erasure would apply to users captured for marketing purposes e.g. they have registered to receive newsletters or have completed forms on the site such as contact or download forms.
Right To Erasure Requests
Deleting A User & Their Form Records
Once you have evaluated and accepted the request, an individual's user record can be deleted by the administrator in User Manager.
Search and select the user in User Manager, click on the Forms tab which lists all their form responses, then either batch delete all responses for a form or delete individual responses.
Audit / Suppression Lists & Re-adding Or Importing Data
You may need to keep your own record that you have received and actioned the request as part of your company’s procedures along with any other systems that you have had to delete their data from, and to add the user to your suppression list. It is important that whenever you add or import user data, you do not re-add someone who has already been deleted by checking whether they are on your suppression list.