Who should delete my personal data?
If you submit a request to have your personal data erased. It is the data controller (the organisation/entity/ administration /company processing your data). Who must take the necessary steps to erase the data diritto all oblio gdpr. The controller must also inform other controllers processors. (if they have outsourced the processing to them) and all other recipients that you want your data to be erase and that it need to be erase. How can I have a data controller erase my data.
Step 1: Decide who to send your request to
A request for erasure of your data should be address to the data controller (the organisation/entity/administration/company processing your data).
This can be done by e-mail letter fax. Or via a form as long as you put the request in writing. Where processing is done online. Controllers must provide automate mean. (such as an objection form or link in an email) to object to the processing of your data.
Step 2: Drafting your request
- Inform the controller that you request the erasure of your data. And that you want confirmation from the controller that he has stopped processing. If you have multiple processing operations, please indicate which one you want to stop.
- Specify your name or other identifier used by the data controller. (for example an account username)To help the controller handle your request more efficiently. Please provide information that identifies your account. Such as your phone number (if you provided it when you signed up), username or account name, or IP address . This is especially helpful if you have a common first and last name.
- Please include the date in the text. If you submit your request in an attachment to the email or in a letter. This clarifies the time frame within which the data controller must provide the information.
- Mention in your e-mail or letter :
- that you wish to delete your data immediately (you can explicitly refer to Article 17 GDPR),
- that you want confirmation that the data controller has erased your data within one month of submitting your request,
- the reason(s) why the data controller is require to erase your data. (see our list of grounds above in “when should data controller erase my data?”). You can specify more than one reason. Why the data controller is responsible for the processing responsible person must delete your data)
- that if the data has been provided to other recipients. These parties should be notified of your request and the data should also be delete from their system.
- Indicate how you wish to receive the information, for example electronically, via an e-mail address.
- You can ask the controller to confirm that it will not process the disputed data while your request is pending. In that case indicate that you wish to exercise your right to restriction. Of your data under Article 18(1) , point d) GDPR oblio immagini.
If you prefer, you can also use the tools offered by mydatadoneright .EU. Their system will write and send the removal request for you.
Step 3: Response from the data controller
Once the controller has received your request. He has one month to reply and confirm that he has erased your data . This period can only be extend once by a maximum of two month, in case of complex or multiple request.
In case of doubt, the controller may ask you for additional information to confirm your identity . However, such a request must be limit to the additional information necessary to confirm who you are. The additional information should not be disproportionate give the context of the processing of your data. (e.g. a shop asking you for a copy of your passport to change the address. Of a loyalty card would be disproportionate)
In general, this answer must be communicate to you in writing , but it can also be communicate to you electronically. For example by e-mail or it can be communicate orally if you so request.
Step 4: What if the controller refuses to erase my data?
A controller may reply to your request that it has decided not to erase some or all of the data. That you have requested erasure. If he does, he must explain why not and demonstrate in his explanation. How one of the exceptions applies in your particular case (see explanation above). The controller cannot refuse to delete the data for any other reason. Nor can it give you a general, general answer
If the controller
- reject your request without a satisfactory explanation,
- attempts to charge you unjustified charges for your request,
- restrict processing during the processing of your request (if you have requested it),
- after one month (or an extended period of up to 3 months),
you have the right to lodge a complaint with a data protection authority sharenting.