GDPR Requirements
A user may request the deletion of personal data concerning him or her. The data controller is obliged to delete data, if the request is justified (Article 17 (1 a-f)). This includes the revocation of consent. The request for deletion shall be forwarded to other affected data controllers as well (Article 17 (2)). Furthermore, some case define exceptions to this rule (Article 17 (3)).
Resulting Challenge
The EU-GDPR requires a function to erase personal data. Accordingly, the user must be able to order the erasure of his data. It must be ensured that the deletion can be forwarded to other responsible parties.
Technical Solution Approach
Similar to the pattern right to Information Obligation / Right of Access by the Data Subject, an interface must be provided which enables the subsequent erasure of personal data. Data of individual persons must be retrievable and separately erasable. Subsequent reproduction of the data after deletion is not permitted.
Checklist
- Does the system allow the erasure of user data and accounts?