1. General information
GDPR (EU General Data Protection Regulation, available at the link) sets forth a list of cases when a data subject (e.g., merchant's customer) is entitled to request their data to be erased or not further processed by the merchant. Please note that these rights are not absolute but apply only in the cases specifically envisaged by the GDPR.
In other words, if a data subject requests their data to be erased or objects to further processing, this does not per se mean that you are legally obliged to perform such actions. Every request should be analysed considering your purpose of processing, the lawful basis for processing, the scope of data processed, type of data subject's request (right to erasure/right to object to processing/right to restrict processing), legal provisions of GDPR that apply in a particular case, etc.
Below you may find a high-level summary of the main GDPR provisions that apply to data subject's requests to erase data/restrict processing/object to processing, including the role of Solid in these processes.
2. Overview of related provisions of GDPR
Please note that you must respond to your customers' requests to exercise their rights laid down in the GDPR within one month, let the individual know your decision, or give reasons where you do not intend to comply with any such requests (Recital 59 of GDPR).
2.1. Your customers have the right to have their personal data erased (known as ‘right to be forgotten’) if:
the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the customer withdraws their consent;
you are relying on legitimate interests as your basis for processing, the customer objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the customer objects to that processing;
you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.
For more details, please refer to Recital 65 and Article 17 of GDPR, the UK Information Commissioner Office (the UK ICO) guidelines available at the link.
2.2. Your customers have the right to restrict the processing of their personal data if:
the customer contests the accuracy of their personal data and you are verifying the accuracy of the data;
the data has been unlawfully processed (ie in breach of the lawfulness requirement of the first principle of the UK GDPR) and the customer opposes erasure and requests restriction instead;
you no longer need the personal data but the customer needs you to keep it in order to establish, exercise or defend a legal claim; or
the customer has objected to you processing their data under Article 21(1), and you are considering whether your legitimate grounds override those of the individual.
For more details, please refer to Article 18 of GDPR, the UK Information Commissioner Office guidelines available at the link.
2.3. Your customers have the right to object to the processing of their personal data if:
you process their personal data for the purposes of direct marketing
you process their personal data for a task carried out in the public interest;
you process their personal data to exercise of official authority vested in you; or
you process their personal data for your / third party's legitimate interests, including profiling.
Please note, according to the guidelines of the UK ICO 'Individuals have an absolute right to stop their data being used for direct marketing'.
For more details, please refer to Article 21 of GDPR, the UK Information Commissioner Office guidelines available at the link.
3. Role of Solid in the fulfilment of your obligation to respond to requests for exercising the data subject rights of your customers
3.1. As a payment data processor (a company processing customer data on your behalf and your instructions), Solid should assist you by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller's obligation to respond to requests for exercising the data subject's rights (art. 28(3)(e) of GDPR). In practice, this means that you are solely responsible for your compliance with the controller's obligation to respond to requests for exercising the data subject's rights. So you are the one who is authorised to decide on how to respond to your customers' data subject requests.
3.2. If you decide to delete your customer's personal data and request us to act accordingly, Solid is obliged to delete the requested personal data from its databases, except for the cases when we are obliged to store such data to comply with the EU / EU Member's laws.
3.3. However, it is worth mentioning that some data is needed to handle the refunds, chargebacks, or future payments (if any) for a particular customer. If you request us to delete all the personal data related to a customer, we will not be able to assist you with the processing of any further refunds, chargebacks, or other payments for this customer.
3.4. Additionally, please note that the rights to data erasure, restriction of processing, and objection to the processing of data are not absolute, but are applicable only in the cases laid down in the GDPR.
For example, the right to erasure laid down in article 17 of the GDPR will most likely not be applicable if the processing of your customer's personal data is necessary for the performance of a contract with your customer (the legal basis for processing envisaged by Art. 6(1)(b) of GDPR) and you lawfully process the data only to the extent and for no longer than is necessary for rendering services under your contract with a customer, and such services do not include information society services to a child.
This usually covers the processing for services provision, payments acceptance, refunds initiation, other services-tied processing activities, including the data you share with Solid. On the contrary, this example will not cover the processing which is not strictly necessary for the performance of a contract (e.g., if you also process customer's personal data for direct marketing, like sending newsletters; such processing should be covered by other legal bases).
4. Disclaimer
The information provided on this page does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this page are for general informational purposes only. We highly recommend you consult your legal counsel and/or data protection officer before deciding how to respond to your customers' requests. A correct decision should always be based on a diligent analysis of your business processes and personal data flows and thus cannot be based on general overviews like this one.