Under Article 17 of the GDPR, you have the right to have most of your personal data deleted. Data controllers must usually comply with your erasure request within one month. But what data can companies typically keep about you after your request – what about invoices, for example? And what can you do if they don’t comply with your request? I discuss the civil court remedies that were available to me when I found out that a company stealthily kept my sensitive personal data, even though I’d asked for it to be deleted months earlier.
In this post, I consider the current accounting record retention obligations for UK companies, VAT invoices and what personal data can be included in them, my dispute with a company that failed to delete my data following my erasure request, and the civil court procedures & remedies relevant to such a dispute.
I sent a company (let’s call them X again) an erasure request, asking for all my personal data to be deleted. X duly responded, stating that it had deleted my data to the extent one of the Article 17(1) GDPR grounds applied and no Article 17(3) GDPR exemption applied. So far, so good. But then X contacted me some time later to say that some of my personal data had potentially been exposed in a data breach – and I wasn’t impressed.
Accounting Records, (VAT) Invoices & Personal Data
I entered into a single consumer contract with X about 3 years ago and X issued me with an invoice. The invoice was sent to me by email as a PDF attachment and contained details of the transaction, my name and address, as well as X’s VAT details. X also took further sensitive personal data from me for identity verification purposes, including my date of birth and government-issued identity document details – this was done legitimately at the time. These were (correctly) not contained on the invoice.
Under Part 15, Chapter 2 of the Companies Act 2006, companies are under an obligation to retain accounting records for a period of 3 years (or 6 years for public companies). However, there is a similar obligation on entities liable to deliver a company tax return to retain accounting records for approximately 6 years: para 21, Schedule 18, Finance Act 1998.
Curiously, what exactly is meant by accounting records is not clearly defined. The explanatory notes of the Companies Act 2006 state: “Accounting records is a broad term and there is no specific definition as the records may differ depending on the nature and complexity of the business. For a simple business these may include, for example, bank statements, purchase orders, sales and purchase invoices, whilst a more sophisticated business may have integrated records, which it holds electronically.”
What isn’t clear is whether a company is required to include and store a consumer’s personal data on their accounting record documents. It may be common for some companies to do so, but not for others: for example, you wouldn’t expect a supermarket to obtain and store your name and address on a sales receipt. Whether or not a company is legally obliged to store a consumer’s personal data on their accounting records is an important issue. If it is not, then the company cannot rely on Article 6(1)(c) GDPR (compliance with a legal obligation) to process and retain such personal data on their accounting records: at best, they might be relying on legitimate interests. This is also particularly relevant for the purposes of erasure requests: personal data that a company is legally required to retain can be kept, even after an erasure request.
HMRC and Government guidance don’t particularly clarify the issue, either. However, there is a particular bit of legislation that deals with the issue of VAT invoices: Part III of The Value Added Tax Regulations 1995 (SI 1995/2518). The requirement to issue a VAT invoice generally only applies if a taxable supply is made to another taxable person (i.e. a supply that is not exempt from VAT is made to another person who is registered to pay VAT). It does not impose an obligation to issue VAT invoices where a company makes a taxable supply to a consumer who is not registered for VAT and thus cannot be relied upon as a legal obligation to process personal data in such cases. However, a brief look at the requirements is perhaps interesting to see what parliament may have intended in respect of general accounting record obligations.
Generally, a VAT invoice must contain the customer’s name and address (Regulation 14). This seems to be a clear legal obligation upon which a company can rely when issuing a taxable supply to another taxable person. However, this obligation does not always apply. Regulation 16 (as amended) provides that retailers are not generally required to issue VAT invoices unless they are asked for one. Even if they are asked, if the amount paid by the customer does not exceed £250, the invoice does not need to state the customer’s name and address.
To make matters even more complicated, the VAT regulations were later amended by The Value Added Tax (Amendment) (No. 3) Regulations 2012 (SI 2012/2951), which inserted Regulation 16A. This generally provides that, where a business (including a non-retailer) issues a VAT invoice for up to £250, it may issue a modified VAT invoice. When issuing a modified VAT invoice, the customer’s name and address do not need to be included. As such, for transactions up to £250, businesses cannot point to the VAT regulations as a legal obligation for including a customer’s name and address on an invoice – and that’s if they can even point to the VAT regulations to begin with, as most consumers are not registered for VAT purposes.
However, looking at the VAT regulations is interesting as it allows us to better interpret any legal obligations for processing personal data on accounting records generally that parliament may have intended. In summary, one could extrapolate the invoicing obligations in the VAT regulations and generally assume the following for invoices in relation to non-taxable consumers and personal data:
- If the transaction is with a retailer, the retailer is not legally obliged to process the customer’s personal data on its invoices;
- If the transaction is with a non-retailer, the business is not legally obliged to include the customer’s name and address on an invoice if the sum paid does not exceed £250.
- If the transaction is with a non-retailer and does exceed £250, the business is legally obliged to include the customer’s name and address on the invoice.
Of course, this is just an assumption based on the VAT regulations. It should be noted that contracts themselves likely also fall within the definition of accounting records. That includes personal data included in the contracts themselves. It is also important to remember that, unless the VAT regulations apply, the obligation to issue an invoice in the UK is usually only imposed by the contract between the customer and the business, rather than being a general legal obligation. The processing of personal data in such circumstances is an area that could use some clarification through legislation or the courts.
How Company X dealt with (or rather, failed to deal with) my erasure request
Back to my consumer transaction with Company X. My transaction with X did not exceed £250. I thus suspect they were not actually under an obligation to include my name and address on their invoice and X was thus not able to rely on Article 6(1)(c). However, I didn’t pursue this point further, as my name and address were contained on my contract with X. A contract also fall within the definition of accounting records, so they were still under a legal obligation retain my name and address on that document.
My dispute with X arose some time after they said they’d processed my erasure request. I was unpleasantly surprised to receive correspondence from X from saying some of my data had potentially been exposed in a data breach. I sent X a subject access request, at which point I discovered that they had actually kept the majority of my personal data. It appeared that the only thing they had ‘deleted’ was my website account, but they had kept all the underlying personal data. That included some basic details and my date of birth and government-issued identity document details. One need only look at the fallout of the Australian Optus data breach to understand the damage that can be caused by poorly managing such sensitive information.
Luckily, X clarified that my government-issued identity document details and date of birth had not been accessed in the data breach. However, the question arose why they were even still processing that sensitive personal data at all, given my transaction with them had taken place some years previously. X did not appear to be under a legal obligation to keep that sensitive personal data for so long, nor did they seem to have any other good reason for doing so. And the worst thing was that I’d asked for it all to be deleted months earlier! Although X was under a legal obligation to retain my name and address (as these were included on the contract, which counts as an accounting record), it was not under a legal obligation to retain any other of my personal data: this should have been deleted. The fact that X didn’t delete that other personal data, despite saying it had complied with my erasure request, was very annoying, distressing and frustrating.
Civil court procedure & remedies
Rather than going to the ICO (whose case officers often fail to take adequate enforcement action), I decided to try to exercise my rights under Articles 79 and 82 of the GDPR. These articles, combined with Sections 167 and 168 of the Data Protection Act 2018, provide that data subjects have a right to ask the court to impose a compliance order to require a data controller to take steps to comply with data protection law: in this case, that was an order compelling X to comply with my erasure request. Data subjects also have a right to monetary compensation for any damage, including non-material damage such as distress, caused by a data controller’s breaches of the GDPR. The way in which you can obtain such redress is through the civil courts.
Before you can start a claim in the civil courts, you need to comply with the relevant Pre-Action Protocol under the Civil Procedure Rules. The relevant protocol for GDPR claims is the Pre-Action Protocol for Media & Communications Claims. As part of this, you must send the company a sufficiently detailed letter (or email), called a Letter of Claim, explaining your claim and what remedy you seek. Before doing so, it’s important that you are satisfied that your claim is likely to succeed – seeking independent legal advice is always beneficial.
Historically, it used to be somewhat unclear whether straightforward GDPR claims could be dealt with in the County Court on the Small Claims Track (commonly referred to as the ‘Small Claims Court’). This is because CPR 53 states that a High Court claim must be issued in the Media & Communications List if it is a media & communications claim (and that includes GDPR claims). However, the High Court has now clarified multiple times that this does not necessarily mean all media & communications claims must be started in the High Court – and straightforward consumer data protection claims are perfectly suitable to be dealt with on the small claims track (most recently, for example, in Cleary v Marston (Holdings) Ltd [2021] EWHC 3809 (QB)). This is very welcome for individual consumers/claimants that simply wish to enforce their data protection rights, as the small claims track comes with simplified civil procedure rules and the winner’s ability to recover costs is usually very limited. So, even if you lose, you’re unlikely to be made to pay (tens of) thousands of pounds for the defendant’s expensive lawyers, provided you behaved reasonably.
Back to Company X – I emailed X a Letter of Claim, explaining why I believed they were unlawfully processing all my personal data (except my name & address contained in the contract document). I alleged X was in breach of Article 17(1) of the GDPR, because they had failed to delete all my personal data after my erasure request to which no Article 17(3) exemption applied. I also alleged breaches of Articles 5(1)(a) (fairness, lawfulness, transparency) and Article 5(1)(e) (storage limitation). This is because they had no proper purpose for keeping my sensitive personal data for so many years after my only transaction with them took place – in my view, this would have been the case even if I had not sent them an erasure request. Furthermore, the continued storage of my personal data after X stated it had complied with my erasure request was untransparent, unfair and unlawful in my view.
Company X denied liability and decided to instruct solicitors, through whom X settled the matter with me out of court.
A significant number of data controllers are bad at properly complying with erasure requests. Many (dated) IT systems are simply poorly designed, meaning it is sometimes impossible to actually fully delete personal data as it would break the entire application. Instead, many applications simply contain a ‘Hidden’ setting, which merely hides the personal data from view but does not actually delete it. This is clearly inadequate and has zero effect whatsoever in the event that the application’s database is breached. Furthermore, many companies have poor organisational governance on where they store personal data, making compliance with erasure requests more difficult. It now seems to me to be worth checking that a controller has properly complied with an erasure request by sending them a subject access request sometime later.
Incidents like the Optus data breach should really be a wake-up call for data controllers. Failing to delete data upon request or upon it becoming unnecessary to store creates huge risks of reputational damage and loss of trust. It is also likely to result in civil litigation and perhaps some formal regulatory enforcement action. The bottom line is – don’t keep personal data you don’t need.