The Bottom Line
- Retention policies must be specific. A legal obligation to retain one set of personal data (e.g., for archival purposes) does not justify retaining other, unrelated data that should be deleted.
- Late compliance is a costly breach. Failing to act on a valid GDPR deletion request in a timely manner can result in direct financial liability for damages, even if the amount is symbolic.
- The burden of proof is on you. If data is retained unlawfully, your organization must be able to prove that third parties could not have accessed it. Failure to do so can be enough to establish harm.
The Details
In a recent case, an individual requested that the Dutch Child Protection Council (the “Council”) delete his entire personal file under the GDPR’s “right to be forgotten.” The file contained two types of records: child protection investigations and several old criminal investigations. The Council agreed to delete the criminal records but refused to erase the protection files, citing its legal obligations. However, it only deleted the criminal records more than a year after the legal deadline to do so had passed. The individual sued, seeking the deletion of the remaining files and damages for the late removal of the others.
The court sided with the Council on the retention of the child protection files. It affirmed that the GDPR‘s right to erasure is not absolute. Under Article 17(3)(b) of the GDPR, the right does not apply when data processing is necessary to comply with a legal obligation or to perform a task in the public interest. The court found that the Council’s duties fall under this public interest task and, more importantly, that the Dutch Archives Act legally requires it to retain child protection files for 100 years after the subject’s birth. This ruling serves as a strong reminder that specific national laws can override an individual’s right to data deletion.
However, the court ruled against the Council for its failure to act promptly on the valid part of the request. By taking over a year to delete the criminal investigation files, the Council breached its GDPR obligations. During this period of unlawful retention, the individual was undergoing an assessment at a forensic psychiatric center, which had access to his file and could see the reports that should have already been deleted. The court determined that this potential access constituted a personal injury, causing harm and a loss of trust. It awarded damages, establishing that even a significant delay in processing a valid deletion request is a punishable offense.
Source
District Court of North Netherlands
