Key points for deleting personal data in the workplace

The importance of protecting personal data online

The protection of personal information is an essential issue in the digital world. Every day, when we use online services such as social networks, e-commerce sites, web pages or search engines such as Google for research purposes, we share sensitive content: contact details, bank details, browsing history, etc. This online data must be handled with care. This online data requires special treatment.

Companies have a real Accountability : they must guarantee the security and protection of the data they collect and process. The General Data Protection Regulation (GDPR) imposes strict rules to frame these practices (in particular deleting personal data)

For example, when a client wishes to close an account, he or she can assert his or her right to the deletion of personal data (or Right to be forgotten) to request the deletion of their information. This applies to personal data held by Google as well as by other online platforms.

For companies, this obligation doesn't stop at the clients. Right from the outset, employers must also protect their employees' data: social security numbers, addresses, pay slips, appraisal results and so on. The company is responsible not only for the personal data it processes, but also for exercising the individual's rights (particularly with regard to the deletion of personal data).

A simple mistake, such as sending these files without encryption or consent, can have serious consequences: fines, loss of trust, even damage to the company's reputation.

Protecting your personal information online is also a matter of rights, security, and privacy. Knowing your rights and being careful about the data you share online allows everyone to better control their digital life.

Collection and storage of personal data

The GDPR imposes an essential rule: collect only the information you need. In practical terms, this means that an online service only needs data that is essential for it to function. For example, when creating an online account, a simple email address is enough, without having to ask for the postal address.

Once personal data has been collected on the Internet, it's crucial to protect it. Companies such as Google, Amazon and eBay use advanced encryption technologies to guarantee the security of personal information such as passwords and bank details.

In the event of a breach, the consequences can be severe: in 2019, British Airways had to pay a $183 million fine for a security breach that exposed personal data.

According toArticle 17 of the GDPR, every individual has the right to erase their personal data. This right applies in particular to personal content visible on the internet. For example, if personal information from Google is no longer desired, a simple link may suffice to request its deletion as soon as possible.

Regulations on the right to delete personal data

What is the right to erasure of data?

The GDPR establishes clear rules regarding the deletion of personal data. According toArticle 17 of the GDPR, also known as the Right to be forgottena person can request the deletion of their personal data if it is no longer necessary for the purpose for which it was collected, or if they withdraw their consent.

The data controller has one month to respond to this request. However, some data must be kept for legal or contractual reasons. For example, tax data must be kept for several years, and connection logs may be kept for up to 12 months for security reasons.

If the data controller does not respond or does not respect this rule, he may receive a complaint and be sanctioned by the CNIL (National Commission for Information Technology and Civil Liberties) as this is an obligation.

Fines can reach up to 20 million euros or 4% of the company's worldwide annual sales. Google, for example, was fined €50 million in 2019 for failing to comply with GDPR rules and obligations on the consent of user consent.

Publishing personal data without consent or not deleting it can damage the userexperience and lead to significant legal consequences in the field of data protection.

Personal data deletion process

Deletion of personal data in companies by services

How long is the Data retention period?

Companies frequently collect and process employees' personal data. This includes information such as contact details and social security numbers, as well as more sensitive data such as performance evaluations and medical histories. As controller, the company must comply with strict rules concerning the Data retention this information.

The GDPR requires personal data to be kept only as long as is necessary for the purpose for which it was collected. For example, a CV of an unsuccessful candidate has no interest in being kept for more than two years after the last contact, unless explicit consent is given. This period may be extended if justified by the company's interests, but this must be clearly indicated and accepted by the candidate.

To improve security, techniques such as pseudonymization or encryption can be used to protect this data. It is also advisable to keep a register of data processing to justify the duration of Data retention and the reasons for it.

Companies often collect large amounts of personal data on their clients, such as contact information or purchase histories. Mismanagement of this data can lead to privacy breaches and legal sanctions.

It is therefore essential to have a clear policy for the deletion of personal data. It doesn't need to be overly complex, but it does need to define when and how this information is to be deleted or anonymized.

For example, a website may decide to delete a Google account that has been inactive for more than three years, to avoid security risks. Prior to this deletion, the company sends a notification to the user to warn them and offer them the option of reactivating their account.

This process is essential to protect data security and respect users' rights. If there is no response to this notification, the account may be deleted.

In some cases, instead of deleting data, anonymization can be used. This enables the company to retain useful information, particularly for research or data analysis exercises, while guaranteeing the protection of individual privacy. Anonymization is particularly useful for studies or research, where data needs to be analyzed without identifying the individuals concerned.

It's also important for the company to consider the costs of implementing its data management processes. Security solutions, such as encryption, can be costly, but necessary to protect sensitive data, especially health-related data or sensitive data used in revenge situations. Poor management of this data could cause significant damage, both to the company and to users.

When a user requests the deletion of his or her data via a request form (personal data deletion), the company or organization must respond quickly and transparently. Failure to respond could be perceived as negligence or as an attempt to misinterpret the user's intentions.

In any case, the company must be vigilant and respect the rights of users while protecting the data it collects, in accordance, with Article 17 of the GDPR . The company's advocacy could also include measures to protect its interests, but always in compliance with current legislation, and with Purpose, the protection of sensitive data.

How to request the deletion of your data

As part of the protection of individuals, everyone has the right to control information about themselves, particularly that which is published on the Internet. If , for example, your telephone number or a sensitive personal situation (such as a family conflict, a professional dispute or defamatory content) is published online, you can exercise your right to have this personal data deleted.

The first step is to make a data access request to the site or service concerned, to find out what information is held about you. If this data is inaccurate, obsolete or prejudicial to you, you can then lodge a complaint requesting that it be deleted.

Let's take the example of Google, often used as a starting point. You can request the deletion of personal information directly via this official link https://support.google.com/legal/troubleshooter/1114905.
You will need :

• Explain the situatione.g: "My personal phone number appears in search results without my consent"),
• Provide a clear findinge.g: a screenshot or URL where the data appears),
• Attach proof ofidentity (ID card or license, to verify that you are the Data subject),
• Follow the steps to complete and submit the form.

Once you've submitted your request, you'll receive confirmation by e-mail, and Google will then inform you of the outcome. In the event of refusal or inaction, or in the event of an unsuitable response, you can also send a complaint to the CNIL (National Commission for Information Technology and Civil Liberties) via this link: https:CNIL (National Commission for Information Technology and Civil Liberties).fr/en/complaints.

Recourse in the event of refusal to delete or erase information

In the event of an unjustified refusal of a request to delete sensitive personal data, the user can exercise several remedies to assert his right to erasure . Firstly, he or she can follow up with the company concerned by sending a registered letter with acknowledgement of receipt, reiterating the mandatory nature of the response within the deadlines imposed by the GDPR as well as his or her rights, in particular the right to deletion and the right to rectification of his or her data, as mentioned in Article 17 of the GDPR.

If the company persists in not responding, or refuses to do so without good reason, the user can then take the matter to the CNIL (National Commission for Information Technology and Civil Liberties). This authority can intervene to demand thedeletion of personal data and, if necessary, impose sanctions on the organization in question. Finally, if these steps have no effect, the user may take legal action, either before a national court or, in certain cases, before the Court of Justice.

The aim of this action is to ensure that digitalrights are respected, to obtain the effective deletion of data, including when they are distributed over a network, and to guarantee their deletion from a specific date.