Users have the right to request deletion of their personal data under GDPR Article 17 (the "right to be forgotten"). But how does this right interact with DAC8's mandatory data retention requirements?
The Conflict
GDPR gives users the right to request erasure of their personal data. DAC8 requires CASPs to retain user data for years after the reporting period. These two requirements appear to conflict, but GDPR provides a resolution.
The Legal Retention Exception
Article 17(3)(b) of GDPR explicitly exempts data processing that is necessary for compliance with a legal obligation from the right to erasure. Since DAC8 reporting is a legal obligation, CASPs are not required to delete user data that is needed for DAC8 compliance, even if the user requests erasure.
Practical Handling
When a user requests data deletion, CASPs should acknowledge the request promptly, identify which data is subject to DAC8 retention obligations, delete any data that is not required for DAC8 or other legal obligations, inform the user that certain data must be retained for legal compliance purposes, specify the retention period and the legal basis (DAC8), and document the request and the CASP's response.
After the Retention Period
Once the DAC8 retention period expires and no other legal basis for retention exists, the CASP must delete the data. If the user has previously requested erasure, the CASP should process the deletion at the earliest possible date after the retention obligation ends.
Conclusion
The right to erasure does not override DAC8's legal retention requirements, but CASPs must handle deletion requests transparently and professionally, deleting data that is not legally required to be retained and clearly communicating the reasons for continued retention.
Preparing for DAC8?
Our team helps CASPs with gap analysis, transposition tracking, TIN validation, and XML report generation.