25 July 2018
Does a data processor need to be informed when a data controller deletes data?
A Data Processor only needs to be informed if the Data Controller is in need of support, in regard to undertaking the right to be forgotten. Although, it is important for a data controller to define the relationship with the data processor, in order to understand the dynamics between the two. It is also seen as good practice to allow the controller to gain access to deleted records through a Subject Access Request that the controller has obtained. If a Data Processor retains copy records as well as back up records, they must be deleted if requested by the Controller.
The deletion process can be difficult to carry out efficiently, although it is an essential process, according to GDPR, all the subject’s data must be deleted and backed up again, which is a lengthy but essential process.
Although, it is not enough to utilize a deletion application, as you must also have an audit trail. This is where an SaaS is implemented, which is used in various businesses as a tool to erase and anonymise all personal data efficiently.
However, it is important to remember that all SaaS tools are different, so not all providers are data processors and therefore have no control over personal data. Compared to managed services, which include self-service options, which would be a better option in regards to data processing.
To find how our friendly and knowledgeable solicitors can help you, contact us today.
Make a free enquiry - Call now - 0151 659 1070
