Be called back
Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.
The article at a glance
Personal data management is no longer just an IT issue, but a critical business concern: between GDPR requirements GDPR right to erasure, Data retention periods, security) and the growing range of applications, every breach exposes organizations to heavy penalties and a loss of client trust. Conversely, structuring data collection, storage, and deletion processes becomes a genuine competitive advantage for securing sales and reassuring partners. Implementing clear policies, automating data processing, and managing erasure requests allows you to turn a regulatory constraint into a credibility booster. To ensure your compliance from start to finish and turn it into a business asset, discover outsourced DPO support.
| Table of Contents 1. The Importance of Online Personal Data Protection 2. Collection and Storage of Personal Data 3. What Is the Right to Erase Personal Data? 4. Process for Deleting Personal Data 5. FAQ |
1. The Importance of Online Privacy
The protection of personal information is an essential issue in the digital world. Every day, when we use online services such as social networks, e-commerce sites, web pages or search engines such as Google for research purposes, we share sensitive content: contact details, bank details, browsing history, etc. This online data must be handled with care. This online data requires special treatment.
Companies have a real Accountability : they must guarantee the security and protection of the data they collect and process. The General Data Protection Regulation (GDPR) imposes strict rules to frame these practices (in particular deleting personal data)
For example, when a client wishes to close an account, he or she can assert his or her right to the deletion of personal data (or Right to be forgotten) to request the deletion of their information. This applies to personal data held by Google as well as by other online platforms.
For companies, this obligation doesn't stop at the clients. Right from the outset, employers must also protect their employees' data: social security numbers, addresses, pay slips, appraisal results and so on. The company is responsible not only for the personal data it processes, but also for exercising the individual's rights (particularly with regard to the deletion of personal data).
A simple mistake, such as sending these files without encryption or consent, can have serious consequences: fines, loss of trust, even damage to the company's reputation.
Protecting your personal information online is also a matter of rights, security, and privacy. Knowing your rights and being careful about the data you share online allows everyone to better control their digital life.
2. Collection and storage of personal data
The GDPR imposes an essential rule: collect only the information you need. In practical terms, this means that an online service only needs data that is essential for it to function. For example, when creating an online account, a simple email address is enough, without having to ask for the postal address.
Once personal data has been collected online, it is crucial to protect it. Companies such as Google, Amazon, and eBay use advanced encryption technologies to ensure the security of personal information, such as passwords and banking details.
In the event of a breach, the consequences can be severe: in 2019, British Airways had to pay a $183 million fine for a security breach that exposed personal data.
According toArticle 17 of the GDPR, every individual has the right to erase their personal data. This right applies in particular to personal content visible on the internet. For example, if personal information from Google is no longer desired, a simple link may suffice to request its deletion as soon as possible.
3. What is the right to have one’s data erased?
The GDPR establishes clear rules regarding the deletion of personal data. According toArticle 17 of the GDPR, also known as the Right to be forgottena person can request the deletion of their personal data if it is no longer necessary for the purpose for which it was collected, or if they withdraw their consent.
The data controller has one month to respond to this request. However, some data must be kept for legal or contractual reasons. For example, tax data must be kept for several years, and connection logs may be kept for up to 12 months for security reasons.
If the data controller does not respond or does not respect this rule, he may receive a complaint and be sanctioned by the CNIL (National Commission for Information Technology and Civil Liberties) as this is an obligation.
Fines can reach up to 20 million euros or 4% of the company's worldwide annual sales. Google, for example, was fined €50 million in 2019 for failing to comply with GDPR rules and obligations on the consent of user consent.
Publishing personal data without consent or not deleting it can damage the userexperience and lead to significant legal consequences in the field of data protection.
4. Process for Deleting Personal Data
4.1. Deletion of Personal Data in the Workplace by Department
In businesses, the collection and processing of employees’personal data is common. This includes information such as contact details and Social Security numbers, as well as more sensitive data, such as performance reviews or medical history. As Data retention controller, the company must comply with strict rules regarding the Data retention this information.
The GDPR requires personal data to be kept only as long as is necessary for the purpose for which it was collected. For example, a CV of an unsuccessful candidate has no interest in being kept for more than two years after the last contact, unless explicit consent is given. This period may be extended if justified by the company's interests, but this must be clearly indicated and accepted by the candidate.
To improve security, techniques such as pseudonymization or encryption can be used to protect this data. It is also advisable to keep a register of data processing to justify the duration of Data retention and the reasons for it.
Companies often collect large amounts of personal data on their clients, such as contact information or purchase histories. Mismanagement of this data can lead to privacy breaches and legal sanctions.
It is therefore essential to have a clear policy for the deletion of personal data. It doesn't need to be overly complex, but it does need to define when and how this information is to be deleted or anonymized.
For example, a website may decide to delete a Google account that has been inactive for more than three years, to avoid security risks. Prior to this deletion, the company sends a notification to the user to warn them and offer them the option of reactivating their account.
This process is essential to protect data security and respect users' rights. If there is no response to this notification, the account may be deleted.
In some cases, instead of deleting data, anonymization can be used. This enables the company to retain useful information, particularly for research or data analysis exercises, while guaranteeing the protection of individual privacy. Anonymization is particularly useful for studies or research, where data needs to be analyzed without identifying the individuals concerned.
It's also important for the company to consider the costs of implementing its data management processes. Security solutions, such as encryption, can be costly, but necessary to protect sensitive data, especially health-related data or sensitive data used in revenge situations. Poor management of this data could cause significant damage, both to the company and to users.
When a user requests the deletion of his or her data via a request form (personal data deletion), the company or organization must respond quickly and transparently. Failure to respond could be perceived as negligence or as an attempt to misinterpret the user's intentions.
In any case, the company must be vigilant and respect the rights of users while protecting the data it collects, in accordance, with Article 17 of the GDPR . The company's advocacy could also include measures to protect its interests, but always in compliance with current legislation, and with Purpose, the protection of sensitive data.
4.2. How to Request the Deletion of Your Data
As part of the protection of individuals, everyone has the right to control information about themselves, particularly that which is published on the Internet. If , for example, your telephone number or a sensitive personal situation (such as a family conflict, a professional dispute or defamatory content) is published online, you can exercise your right to have this personal data deleted.
The first step is to make a data access request to the site or service concerned, to find out what information is held about you. If this data is inaccurate, obsolete or prejudicial to you, you can then lodge a complaint requesting that it be deleted.
Let's take the example of Google, often used as a starting point. You can request the deletion of personal information directly via this official link https://support.google.com/legal/troubleshooter/1114905.
You will need :
- Explain the situatione.g: "My personal phone number appears in search results without my consent"),
- Provide a clear findinge.g: a screenshot or URL where the data appears),
- Attach proof ofidentity (ID card or license, to verify that you are the Data subject),
- Follow the steps to complete and submit the form.
Once you've submitted your request, you'll receive confirmation by e-mail, and Google will then inform you of the outcome. In the event of refusal or inaction, or in the event of an unsuitable response, you can also send a complaint to the CNIL (National Commission for Information Technology and Civil Liberties) via this link: https:CNIL (National Commission for Information Technology and Civil Liberties).fr/en/complaints.
4.3. Remedies in the Event of a Refusal to Remove or Delete Information
In the event of an unjustified refusal of a request to delete sensitive personal data, the user can exercise several remedies to assert his right to erasure . Firstly, he or she can follow up with the company concerned by sending a registered letter with acknowledgement of receipt, reiterating the mandatory nature of the response within the deadlines imposed by the GDPR as well as his or her rights, in particular the right to deletion and the right to rectification of his or her data, as mentioned in Article 17 of the GDPR.
If the company persists in not responding, or refuses to do so without good reason, the user can then take the matter to the CNIL (National Commission for Information Technology and Civil Liberties). This authority can intervene to demand thedeletion of personal data and, if necessary, impose sanctions on the organization in question. Finally, if these steps have no effect, the user may take legal action, either before a national court or, in certain cases, before the Court of Justice.
The aim of this action is to ensure that digitalrights are respected, to obtain the effective deletion of data, including when they are distributed over a network, and to guarantee their deletion from a specific date.
5. FAQ
What is the right to have personal data deleted (Right to be forgotten)?
This is the right of any person to request the erasure of their data when it is no longer necessary or is being processed without a legal basis.
In what circumstances must a company delete personal data?
It must delete them as soon as they are no longer needed, if consent is withdrawn, or if a legitimate request is made.
What is the deadline for responding to a request for removal?
The company must respond within one month of receiving the request.
Can a request to delete data be denied?
Yes, if there is a legal requirement to retain the data (e.g tax or contractual obligations).
How should a company organize data deletion?
With simple, clear, and automated rules for deleting or anonymizing data at the right time.
6. Data Deletion: Dipeeo is here to help
Managing GDPR compliance GDPR running your business is exhausting. That’s exactly why Dipeeo exists.
With Dipeeo, a legal expert in data protection gets to know your business, its unique characteristics, and its constraints, becoming your trusted daily point of contact. They handle everything that weighs on you: the initial audit, mandatory documentation, monitoring your service providers, managing data deletion requests, and those unexpected issues that always seem to pop up at the worst possible time.
Here's what you'll actually get:
- A dedicated legal professional who understands your business and your industry
- Unlimited, personalized support
- Documents that are compliant and always up to date
- An intuitive platform to help you manage your compliance with peace of mind
Many executives tell us they wish they had addressed this sooner. The best time to do so is now.
