General Data Protection Regulation (GDPR) grants individuals with the Right to erasure ("Right to be forgotten") and Right to data portability.
Right to be forgotten
Under the Regulation, the Data Controller is obligated to erase personal data relating to a data subject if one of the following criteria has been met:
- The data are no longer necessary in relation to the purposes for which they were processed.
- If the legal ground for processing data is based on consent and the data subject withdraws the consent and no other legal ground for the processing exists.
- The data subject objects to the processing and the controller processes the data for direct marketing purposes or the basis for the processing is balancing of interests and the Data Controller does not have compelling reasons for the processing which supersedes the data subject’s objection.
- The processing is unlawful.
- The erasure is statutory.
However, if you are the Data Processor as Umbraco is for Umbraco Cloud customers, then the Data Controller must decide whether to erase data and must then instruct the Data Processor to erase.
If one of your customers contacts us in order to have his/hers personal data changed or deleted, we will send them to you as you are the Data Controller. You will have the task and responsibility to take relevant action.
Right to data portability
The right to data portability means that the data subject may in some cases be entitled to get and transfer its data from one Data Controller to another Data Controller. Only data provided to the Data Controller by the data subject him-/herself are covered by this right. Thus, the right to have data transferred to the data subject does not necessarily apply to all the data that the controller possesses about the data subject.
The data subject may invoke the right to data portability if two conditions have been met:
1) If the basis for the processing is consent or a contract; and
2) If the processing is automatic (and not manual)
There is no requirement that the Data Controller uses a system that enables data to be transferred directly to another processor, as long as the controller is able to transfer the data in a structured, common and machine-readable format.
Note that at Umbraco, we store customer data such as name, mail, IP, number of tickets for support clients, company name, company address and alike.
We clean up the data regularly removing obsolete data, however we are also obliged to store some data for regulatory purposes, for example, accounting data.
Should you wish for your data to be deleted send an email to firstname.lastname@example.org and we will process it accordingly.