Hi, hoping there are some experts here...
In a nutshell, a company is refusing to comply with a request to erase personal data. The company sells small value items to the general public and in order to purchase said items they collect the usual personal data, name, address, tel number, email, etc. They are relying on UK GDPR Article 17 (3) (e), which states, as an exemption from the regulations, "for the establishment, exercise or defence of legal claims."
They are claiming that "defence of legal claims" makes them 'legally obliged' (their words) to store data in case a legal action is brought against them by me within the six year limitation period. They also state that deleting personal data may prevent them from defending themselves.
The ICO representative has also echoed this statement, which I consider to be complete nonsense. The ICO website even says "Data should not be stored on a 'just in case' basis". This interpretation would effectively allow any company that has ever sold anything to anyone to refuse an erasure request based on 17 (3) (e) and keep personal data for six years. My interpretation is that 17 (3) (e) simply allows a company to process data in the event of a legal claim so they can defend themselves.
Any input gratefully received.
In a nutshell, a company is refusing to comply with a request to erase personal data. The company sells small value items to the general public and in order to purchase said items they collect the usual personal data, name, address, tel number, email, etc. They are relying on UK GDPR Article 17 (3) (e), which states, as an exemption from the regulations, "for the establishment, exercise or defence of legal claims."
They are claiming that "defence of legal claims" makes them 'legally obliged' (their words) to store data in case a legal action is brought against them by me within the six year limitation period. They also state that deleting personal data may prevent them from defending themselves.
The ICO representative has also echoed this statement, which I consider to be complete nonsense. The ICO website even says "Data should not be stored on a 'just in case' basis". This interpretation would effectively allow any company that has ever sold anything to anyone to refuse an erasure request based on 17 (3) (e) and keep personal data for six years. My interpretation is that 17 (3) (e) simply allows a company to process data in the event of a legal claim so they can defend themselves.
Any input gratefully received.
Comment