GDPR and CNIL: What is the right to erasure?

France: What are the CNIL’s specifics regarding personal data deletion?

• Role of the CNIL:
• The CNIL supports businesses in achieving compliance.
• It provides practical guides, response templates, and tools to facilitate request management.
• How to process a request according to the CNIL?
• Confirm receipt of the request within a reasonable timeframe.
• Verify the identity of the individual to prevent abuse.
• Execute the deletion of data within the legal timeframe of one month (extension possible if the request is complex).
• Additional obligations:
• Notify relevant subcontractors to ensure the data is also deleted from their systems.
• Keep proof that the request was processed, without retaining the deleted data.

What to do after a request for personal data deletion?

What types of data should be deleted?

• Direct personal data:
• Name, first name, email address, phone number, postal address.
• Indirect data:
• IP address, cookies, user IDs, behavioral data (such as purchase or browsing history).
• Documents containing personal information:
• Invoices, contracts, reports, attachments.
• Copies and backups:
• Check secondary databases, backups, or any tool that may store this data indirectly.

Locate Data in Tools

1. List the tools used:
• CRM (e.g., Salesforce, HubSpot).
• Emailing platforms.
• Internal databases.
• SaaS applications or ERP systems.
2. Use built-in search tools: Most software allows you to search for a user via their email, ID, or name.
3. Identify backups and archives: Some data may be stored in automatic archives. Plan a process to delete these as well.
4. Don’t forget files outside of tools:
• Excel or Google Sheets, sometimes used alongside primary tools.

Don’t Forget to Notify Subcontractors and Service Providers of the Request

1. Identify your subcontractors:
• Email service providers.
• Cloud storage solutions.
• Agencies or partners who had access to the data.
2. Send them a notification:
• Explain that an erasure request has been received.
• Provide the necessary information to identify the relevant data.
3. Ensure they take action:
• Verify that the data has indeed been deleted.
• Request written confirmation or a report proving the deletion.

The Role of the DPO in Data Erasure Requests

The DPO’s Responsibilities:

1. Be the primary point of contact: The DPO is often the direct recipient of erasure requests. They ensure that requests are properly documented and forwarded to the relevant teams.
2. Verify the validity of the request: The DPO assesses whether the request meets GDPR legal conditions, including verifying the requester’s identity and evaluating potential exceptions.
3. Oversee data location: They coordinate actions to identify data for deletion across all company systems and databases, including subcontractors.
4. Ensure compliance and traceability: The DPO ensures each step of the erasure process is documented to guarantee compliance in case of an audit or dispute.
5. Train and raise awareness: The DPO regularly trains internal teams to understand the implications of the right to erasure and the best practices to adopt.

A Strategic Role:

How to Validate a Data Erasure Request?

Verify the Identity of the Requester

What Documents to Request?

• Proof of Identity: A copy of an ID (identity card, passport) may be required to confirm the requester’s identity.
• Associated Email: Verify that the email address used for the request matches the one registered in your systems.

Key Considerations:

• Protection of Sensitive Data: Provided documents must be handled confidentially and deleted once verification is completed.
• Clarity and Transparency: Inform the requester why this information is necessary and how it will be processed.

Special Cases: When Requests Are Specific

Legal Representative:

• A request can be made by a guardian or legal representative (e.g., for a minor or a person under guardianship).
• Required Documents: Proof of identity of the legal representative and justification of their authority (birth certificate, guardianship order).

Minor’s Data:

• Minors have the same rights as adults regarding data protection.
• Parental Consent: If the minor is of age to give their own consent (usually from 15 years old in France), they can request erasure directly. Otherwise, the request must come from a parent or guardian.

Example of Procedure: Dedicated Form or Email Request

Which Procedure to Adopt?

1. Online Form:
• A dedicated form on your website allows users to detail their request.
• Include mandatory fields such as name, email address, and an option to attach proof of identity.
2. Email Request:
• Provide a specific email address (e.g.: privacy@yourcompany.com) for these requests.
• Indicate in the automatic reply the steps to follow and the required documents.

Advantages of a Dedicated Form:

• Standardization of requests.
• Time-saving for processing teams.
• Reduction of missing important information.

Example of an Online Form to Facilitate Right to Erasure Requests:

What are the deadlines and obligations to comply with?

Legal Deadlines: How long do I have to delete the data?

• Response deadline: Once the erasure request is received, you must respond within 1 month. This period can be extended by an additional 2 months if the request is complex or if you have received multiple requests.
• Extension cases: If an extension is necessary, you must inform the concerned person of the delay within one month of the initial request.
• Exceptions: Some exceptions may extend the deadline or make data deletion impossible (for example, to comply with a legal obligation or for the exercise of legal rights).

Key Points:

• 1 month to respond (in general)
• Possible extension up to 3 months in case of complexity
• User notification if an extension is needed

Communication: Informing the person about the progress

• Acknowledgment of receipt: As soon as you receive the request, inform the person that their data erasure request has been acknowledged.
• Progress updates: If you need more time (for example, if the request is complex or if you need to verify the requester’s identity), keep the person informed about the status of their request.
• Erasure confirmation: Once the data has been deleted, send a notification or email confirming the completed action. Clearly state that the data has been erased unless a legal exception prevents it.

What are the risks of not complying with data erasure requests?

What are the GDPR fine amounts?

• Maximum fine: The GDPR provides for fines of up to €20 million or 4% of the company’s annual global turnover, whichever is higher.
• Fine for non-compliance with the right to erasure: If a company fails to comply with an erasure request, the fine may be applied depending on the severity of the violation, the company’s intent, and the impact on the affected individuals.

Key Points:

• €20 million or 4% of annual global turnover: maximum fine
• Fines adjusted based on the severity of the violation

Examples of GDPR and CNIL fines

1. Google (2019): Google was fined €50 million by the CNIL for failing to comply with consent and transparency rules. While not directly related to data erasure, this example highlights the importance of respecting users’ rights, including their right to erasure.
2. H&M (2020): H&M was fined €35.3 million for excessively collecting and storing personal information without respecting employees’ right to data erasure.
3. Clearview AI (2022): The CNIL ordered Clearview AI to delete unlawfully collected data and imposed a €20 million fine for unauthorized biometric data collection.

Example of a Data Erasure Request

We do not collect the information provided in the quizzes of this article ✅

Source: CNIL | Understanding My Rights