Under Article 17 of the GDPR, you have the right to have most of your personal data deleted. Data controllers must usually comply with your erasure request within one month. But what data can companies typically keep about you after your request – what about invoices, for example? And what can you do if they don’t comply with your request? I discuss the civil court remedies that were available to me when I found out that a company stealthily kept my sensitive personal data, even though I’d asked for it to be deleted months earlier.
Tag: erasure
I sent two IT webshop companies an erasure request. I also informed them of a security vulnerability in the way they processed my invoices and I objected to them processing my invoice data in this way. The companies repeatedly refused to act on my GDPR requests and they failed to acknowledge the vulnerability. So I took them both to court.
I sent a UK company a GDPR erasure request, but they demanded that I email them a copy of my driving licence before actioning my request. Here’s what happened when I challenged their intrusive, unsecure and likely unlawful demand…