GDPR: Decision of the DPA on the partial erasure of personal data as part of a customer retention programme

18 February 2020 – need2know

Many companies offer benefits and discounts in the context of customer retention programmes, which are adapted to the needs and interests of their customers. To be able to make such personalised offers, it is necessary to process data regularly (e.g. evaluation of purchasing behaviour). The legal basis for the processing of this data is the consent of the participant according to Article 6 para 1 lit a GDPR. In certain constellations, the legitimate interest of the controller under Article 6 para 1 lit f GDPR may also be taken into account.

In the event of a participant withdrawing his consent according to Article 7 GDPR or objects (legitimately) to the processing under Article 21 GDPR, it is and has been uncontroversial to date that from this point in time, the data may no longer be processed and the data must be erased. However, what would be the procedure if a participant requests the erasure of only certain types of data (partial erasure request) but still wants to participate in the programme to receive the benefits resulting from it? Does the controller also have to comply with such an erasure request?

The DPA dealt with this question in a current complaint procedure and came to a decision that in general is good news for entrepreneurs.

The appellee only offered the data subject the complete erasure, arguing that a partial erasure of individual data fields would not be possible for technical reasons. However, the data subject did not want his data to be completely erased to keep participating in the customer retention programme.

In general, the DPA represented its previous legal opinion that data subjects’ rights can also be exercised partially, i.e. only concerning certain personal data. However, a prerequisite for partial erasure by its very nature is that the controller is technically capable of erasing individual data records and, if necessary, the controller is obliged to provide technical measures for such an erasure request. It was, therefore, necessary to determine whether such an obligation applies to the controller.

The principle of processing lawfully, fairly and in a transparent manner implies inter alia the obligation of the controller to implement appropriate technical and organisational measures to fulfil the obligations laid down in the GDPR. These measures have to take into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This ensures that a controller cannot bypass its obligations through unsuitable technical measures.

When participating in a customer retention programme and the associated possibility to benefit from privileges, the DPA, in the context of such consideration, concluded that there is no obligation on the controller to implement measures allowing the partial erasure of data. The authority substantiated its view by stating that complete erasure and thus the omission of membership of the customer retention programme does not constitute an obstacle or prevention of economic progress or any other significant economic disadvantage for the data subject. Furthermore, the DPA argued that a partial erasure would affect that the company would no longer be able to operate the bonus programme. This, however, is the company’s right, which lies within their freedom to conduct business as well as the principle of private autonomy. The GDPR not only protects personal data but also intends to create an appropriate balance with other rights and freedoms acknowledged in the European Union.

As a result, this means that an obligation to erase data partially within the framework of a customer retention programme only exists if this is technically possible beforehand. However, there is no obligation to implement such measures, which is why, in the absence of the technical possibility for partial erasure, the controller is not obliged to do so if a data subject requests it.

Here you will find the decision of the data protection authority.

 

Author:
Emanuel Hackl

Practice Group:
IP/IT/Data protection

If you would like to receive future issues of need2know follow us on LinkedIn or please send an email to subscribe@bpv-huegel.com.

Our use of cookies

We use necessary and functionality cookies to make our site work. We only use analytics cookies to improve our website if you enable them. By using this tool for individual settings of the cookies, we will send a cookie to your device to remember your preferences.

For more detailed information about the cookies we use, see our Cookies Policy.

Necessary Cookies Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect the website functions.

Functionality Cookies

Functionality cookies allow users to customise how a website looks for them: they can remember usernames, language preferences and regions. We use functionality cookies for storing your user preferences and remembering if you have been to the site before so that messages intended for first-time users are not displayed to you. These cookies do not collect information about you that could be used for marketing purposes and do not remember where you have been on the Internet.

You may disable these cookies with the button, but you should be aware that any preferences will be lost and you will have to make them again on your next visit. It is also possible that the website will not work properly or you will lose some functionality.

Analytics cookies (including US providers)

"Web analytics cookies" collect aggregated information about user behaviour to improve our website. We would like to use such cookies from Google Analytics to improve our website by collecting and evaluating information about the use of our website. The provider of Google Analytics is Google LLC, which is based in the USA. The USA is not certified by the European Court of Justice as having an adequate level of data protection. In particular, there is a risk that your data may be accessed by US authorities for control and monitoring purposes and that no effective legal remedies are available against this. By activating the button under "Web analytics cookies (including from US providers)", you agree that we may set these cookies and that you also agree to the transfer of data to the USA. You can revoke your consent at any time via the cookie settings on our website.