GDPR and Your Right to be Forgotten

Written by Keith Mason / December 07, 2018

As defined in GDPR Article 17, you have the right to be forgotten. It is the right that the Data Subject has to request the erasure of their personal information under certain circumstances. It enables the ability to have personal information an organization holds about you as an individual deleted and the discontinuance of any associated data processing.

The right to be forgotten isn’t exactly a walk in the park in a highly connected data sphere, for many organizations knowing exactly where customer data is stored is still an uncertainty, making erasure de facto, well, close to impossible. Like the DSAR, the ability to execute your Right to be Forgotten request with a high degree of confidence and accuracy is the product of having a comprehensive and maintained Data Map. Most organizations are stating the Right to be Forgotten, a.k.a. Right to Erasure, proves to be the hardest data subject right to operationalize and the most difficult GDPR obligation in practice overall as reported in the 2018 IAPP-EY Annual Privacy Governance Report (DSAR being #2).

Submitting a Right to be Forgotten

Upon receipt of your Right to be Forgotten request form (available with the platform launch in early 2019) and the appropriate supporting documents, our Data Protection Officer will review your request and notify you of the latest date by which we aim to act upon your request. Once the request has been fully executed you will be promptly notified of the status and we will never contact you again. Blueberry, Inc. is committed to honoring your request within 30 days of receipt consistent with GDPR guidance in respect to when the right does/does not apply:

When does the right to erasure apply?

Individuals have the right to have their personal information erased if the:

• Personal information is no longer necessary in relation to the purposes for which they were originally collected or otherwise processed.
• Data Subject withdraws consent on which the processing is based according to Article 6.1.a or Article 9.2.a, and where there is no other legal ground for the processing.
• Data Subject objects to the processing pursuant to Article 21.1 and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21.2.
• Personal information has been unlawfully processed.
• Personal information must be erased for compliance with a legal obligation which the controller is subjected to.
• Personal information was collected in relation to the Offer of Information Society Services referred to in Article 8.1.

When does the right to erasure not apply?

The right to erasure does not apply if processing is necessary for one of the following reasons as defined in Article 23:

• To exercise the right of freedom of expression and information.
• To comply with a legal obligation.
• For the performance of a task carried out in the public interest or in the exercise of official authority.
• For archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
• For the establishment, exercise or defense of legal claims.

Lead Generation

The method in which leads are captured, whether by site registration, web marketing, a landing page, email, referrals, a site import utility, or something else, it doesn’t matter. If personal information is being collected about individuals, then organizations need to follow the rules. In addition to having an individual’s consent, organizations must capture how the lead was sourced and maintain this in association with the individual’s information inclusive of the exact type of communications the individual agrees to receive and the date in which the organization received consent.

Lead capture form consent ‘opt-in’ capability shall be:

• Active and freely given. By default, forms should have an unchecked box which users must manually select. The Form shall include an easy to understand description explaining why the information is being collected and how it is to be used.
• Explicit. The reason for collecting personal information should be explicit, clearly stated at the point of consent, and the form should include a link to the organization’s Privacy Policy.
• Separate and Specific. The description of how an organization will use the information collected must not be generic and bundled into a common checkbox. This is not considered an active choice; individuals must consent to each separate use of their information.
• Non-discriminatory. Individuals shouldn’t be penalized or disadvantaged if consent was not given.

One thing is certain, for any organization that collects, manages, and uses personal information, GDPR will change the way in which leads are captured. However, this shouldn’t necessarily be viewed as a negative thing. After all, the leads being captured will hopefully become customers, so providing customers with a choice about how their personal information will be used is a good thing. It builds trust, instills confidence and promotes an environment of transparency.

Data Collection: How, what and why

You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us about new products and/or service offerings, then you may opt out of receiving these communications. We’re committed to putting you in control of your information so you’re free to change your marketing preferences (including to tell us that you don’t want to be contacted for marketing purposes) at any time.

How do we collect information from you?

We obtain information about you in the following ways:

• Information you give us directly. When you voluntarily provide us with your personal information to create an account, such as your name or email address.
• When you visit this website. We automatically collect technical (non-personal) information, including the type of device you’re using, the browser/browser version and the operating system being used. This information is collected for the purpose of improving our service offerings, as well as to best position BlueberryCMS features to ensure a consistent user experience across the broadest range of devices and configurations.
• Platform Utilization. Information about how you utilize BlueberryCMS development tools, and how your sites drive back-end resource utilization so that we may optimize and performance tune our Web and Database Servers in efforts of driving positive user experiences for your customers.
• Social Media. When you interact with us on social media platforms such as Facebook and Twitter, we may obtain information about you (for example, if you publicly tag us) which will aid our ability to continue to provide the quality products and service offerings you desire. The information we receive will depend upon the privacy preferences you have set on those platforms.

We will not use your personal information for marketing purposes if you have indicated that you do not wish to be contacted by us. However, we may still need to contact you for administrative purposes or to bring awareness to a maintenance activity or a service degradation. And as always, your personal information is never shared with any third parties or affiliates for any reason whatsoever.

What type of information is collected from you?

The personal information we collect, store and use might include:

• Name.
• Contact details. Mailing address, email address and telephone number.
• Date of Birth. To satisfy age of consent
.
• Technical/Environmental. The type of device used to access BlueberryCMS development tools, the Browser/Browser version and Operating System.
• Credit Card information. No financial information is stored by us to facilitate billing transactions for your hosting fees. Your card information is collected by third party payment processors (like Authorize.net), who specialize in the secure online capture and processing of credit card transactions. Blueberry, Inc. is currently working with an ASV (Approved Scanning Vendor) as defined on the PCI Security Standards Council site to certify the BlueberryCMS platform.
• As provided. Any other personal information you shared with us.

Blueberry, Inc. and BlueberryCMS do not collect or store any personal information defined as Special Category Data under GDPR. Special Category Data is identified as being highly sensitive and therefore requires greater levels of protection from abuse. For example, information about your health, ethnicity, politics, sexual orientation or religion.

Why is your information used?

We may use your information for a number of different purposes, which may include:

• Providing you with the products, services or information you asked for.
• Processing orders you have submitted, or billing your account.
• To carry out our obligations under any contractual agreements between you and us.
• Keeping a record of your relationship with us.
• Conducting analysis and market research to better understand how we can improve upon our service offerings.
• Seeking your views or comments on the services we provide.
• Notifying you of changes to our services or terms and conditions.
• Sending you communications which you have requested and that may be of interest to you.

We keep your information for no longer than is necessary according to the purposes it was originally collected for. The length of time in which we retain your personal information is determined by operational and legal considerations. We are legally required to hold some types of information to fulfill our statutory and regulatory obligations. We routinely review our retention periods and have automated process which remove inactive account history when it is no longer required to satisfy tax, accounting or legal obligations.