GDPR: Decision of the DPA on the partial erasure of personal data as part of a customer retention programme

18 February 2020 – need2know

Many companies offer benefits and discounts in the context of customer retention programmes, which are adapted to the needs and interests of their customers. To be able to make such personalised offers, it is necessary to process data regularly (e.g. evaluation of purchasing behaviour). The legal basis for the processing of this data is the consent of the participant according to Article 6 para 1 lit a GDPR. In certain constellations, the legitimate interest of the controller under Article 6 para 1 lit f GDPR may also be taken into account.

In the event of a participant withdrawing his consent according to Article 7 GDPR or objects (legitimately) to the processing under Article 21 GDPR, it is and has been uncontroversial to date that from this point in time, the data may no longer be processed and the data must be erased. However, what would be the procedure if a participant requests the erasure of only certain types of data (partial erasure request) but still wants to participate in the programme to receive the benefits resulting from it? Does the controller also have to comply with such an erasure request?

The DPA dealt with this question in a current complaint procedure and came to a decision that in general is good news for entrepreneurs.

The appellee only offered the data subject the complete erasure, arguing that a partial erasure of individual data fields would not be possible for technical reasons. However, the data subject did not want his data to be completely erased to keep participating in the customer retention programme.

In general, the DPA represented its previous legal opinion that data subjects’ rights can also be exercised partially, i.e. only concerning certain personal data. However, a prerequisite for partial erasure by its very nature is that the controller is technically capable of erasing individual data records and, if necessary, the controller is obliged to provide technical measures for such an erasure request. It was, therefore, necessary to determine whether such an obligation applies to the controller.

The principle of processing lawfully, fairly and in a transparent manner implies inter alia the obligation of the controller to implement appropriate technical and organisational measures to fulfil the obligations laid down in the GDPR. These measures have to take into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. This ensures that a controller cannot bypass its obligations through unsuitable technical measures.

When participating in a customer retention programme and the associated possibility to benefit from privileges, the DPA, in the context of such consideration, concluded that there is no obligation on the controller to implement measures allowing the partial erasure of data. The authority substantiated its view by stating that complete erasure and thus the omission of membership of the customer retention programme does not constitute an obstacle or prevention of economic progress or any other significant economic disadvantage for the data subject. Furthermore, the DPA argued that a partial erasure would affect that the company would no longer be able to operate the bonus programme. This, however, is the company’s right, which lies within their freedom to conduct business as well as the principle of private autonomy. The GDPR not only protects personal data but also intends to create an appropriate balance with other rights and freedoms acknowledged in the European Union.

As a result, this means that an obligation to erase data partially within the framework of a customer retention programme only exists if this is technically possible beforehand. However, there is no obligation to implement such measures, which is why, in the absence of the technical possibility for partial erasure, the controller is not obliged to do so if a data subject requests it.

Here you will find the decision of the data protection authority.

 

Author:
Emanuel Hackl

Practice Group:
IP/IT/Data protection

If you would like to receive future issues of need2know follow us on LinkedIn or please send an email to subscribe@bpv-huegel.com.