Information request - how to handle it correctly
Questions your customers may ask
You should be prepared for all possible enquiries - be it for simple information or an erasure request - and know how to answer them. You will likely receive the following information requests:
"What customer data is stored?”
If you are asked what data you store about the data subject, it is important that you really disclose all the data. To do this, consult the compiled record of data processing and put together an overview based on this. If you store a particularly large amount of data, you should set up a process that allows the automatic retrieval of all the stored data “at the touch of a button.” It is important that the data subject can identify themselves accordingly e.g. with an identity card, passport, or driver’s license, before you send the data. This is necessary to ensure that personal data is never made available to an unauthorized person.
"Where is customer data stored and how safe is the location?”
Here, you need to explain exactly where your customer data is located. This will probably be a hosting server. In addition, you need to disclose how the access to these servers is secured. You can ask your hosting provider for the required information.
"Cancellation, for example if a customer no longer wants to receive the newsletter.”
A cancellation is the withdrawal of consent. How quickly you have to comply with the request depends on whether you have a legal retention period. This is usually not the case for a newsletter so you have to comply immediately with the request. However, things are different if the cancellation conflicts with a law. Read the exact procedure below.
How to deal with erasure requests
Erasure requests are one of the most sensitives requests for businesses. They are based on the so-called “right to be forgotten”, which is now directly enforced by the GDPR.
In the event of an erasure request, it is therefore important that you prepare and implement an erasure concept in advance. These are fixed processes by which all personal data in your company is deleted. You can legally handle requests for erasure only on this basis.
However, be aware that erasure must not only be made when a customer requests it from you. Even without a specific request, customer data must be deleted if the applicable time limits have expired. This means you always have to act regularly.
For this reason, we strongly recommend that you develop an erasure concept together with your lawyer. It is individual to you and depends on the way you handle data.
You generally have to store buyer data in Germany for 10 years. You should store employee data for 30 years.
Frequently asked questions about the erasure of customer data
You undoubtedly have some questions in your head on this topic. We would like to help you with the most frequently asked questions. You can then discuss relevant points with your lawyer.
What do I do if a customer would like their data to be deleted, but I can’t delete certain customer information because of retention periods?
First of all, there are different time limits. Accounting, tax and customs, contracting, employment and industry specific deadlines are areas that have different time periods.
There are specific reasons for refusal in cancellation rights on the basis of these time periods. This means that an erasure request can only be denied if you require the corresponding data in order to comply with a legal obligation. This legal obligation results from the time periods named above.
In practice, this means that a response must be given within one month of receiving an erasure request that must inform the applicant of the action taken or explain the reasons for the refusal.
When do I have to delete the data in general? Is it not enough if I delete when the customer asks me to?
No. The GDPR has two principles, among others. These are accuracy and memory limitation. This means that all personal data must be correct and up to date. Incorrect data must be deleted. The storage limitation means that data may only be saved and stored to the extent that it is needed for the actual purpose, meaning if it is no longer needed and doesn’t fall under a retention period, it must be actively deleted by you as described above.
I have data from prospective customers as well as leads - how long am I allowed to keep them?
Legal retention periods also apply here, as well as whether data needs to be stored for a specific use. For leads, the retention purpose is only given if you can already demonstrate an existing relationship with the customer. Otherwise, there is no reason to store it.
How should I act if I receive an erasure request but still need the data, for example, for an invoice.
As long as you have to comply with the legal retention periods, e.g. for invoices that you, as a business owner, have to keep for country specific retention periods (10 years in Germany, 7 years in Austria), you cannot meet the erasure request. However, according to the current legal status, you must communicate this to the customer within one month of receiving the request.
How can I prove that I deleted the data?
A review is carried out by data protection authorities. This will ask about erasure processes, your erasure concept and retention periods, among other things. It is also entitled to request access to the data storage premises and carry out a detailed examination.
How much time do I have to perform the data request?
In principle, applications from affected parties must be processed within a month. In the case of complex issues, the possibility also exists to apply for a two month deadline extension.
Switch quickly and easily to all lessons of the course.