I have had a request to supply a client with all of their files (including InDesign docs) due to the General Data Protection Regulation (GDPR). My client also wants me to delete the files from my machine. I'm really not comfortable doing this as the time involved would also be lost as they won't want to pay.
How should I respond to such a request?
TL:DR The client is fundamentally mistaken about the type of data covered under GDPR, although there are possibly things in the files that are covered under it. You should not send them the files, though you do need to respond with any personal information in them.
I'm doing some of the data protection work for my company, so I've been reading a lot around this. I'm definitely not a lawyer, so a bunch of this should be taken with a pinch of salt. That said, this example has a fairly clear correct course of action:
GDPR covers only personal information related to individuals https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en
This means that the only thing affected in your design by GDPR is personal information
Your response should, therefore, only cover the personal information contained in your design. Did you put a personal email address in of theirs? Is there a client name or address in the text? any photos of clients or people in general? If so, send them an email stating the personal information you found in the design, and asking if they'd like you to delete those specific bits
If they say yes, delete the email addresses/any names/client photos any other personal information you can find.
Remember to also delete it from any backups you have, and from the history of the file. If you're feeling friendly, you might want to point out this will make the files harder to use for them
They absolutely cannot force you to hand over ownership of the files under GDPR. Unless stated in the contract, they remain your intellectual property.
Edit: forgot an important bit. This only applies to the personal data of the person making the request. Anything else, even data from one of their employees, is not covered, and you probably can't and shouldn't hand any of the data over. Their employees will have to make their own requests for their personal data. To protect yourself, however, it's probably worth reviewing and deleting any unnecessary personal information you hold.
Hope it's helpful!
Doesn't really matter WHY the client wants you to delete your files and send them everything.
It seems to me the client is using GDPR as an excuse and nothing more. I mean, practically any design is promotional material and any possible personal information - name, address, contact, email, etc. - was made public information via the promotions themselves. It's not "personal stored data". Your client is being terribly sketchy here, in my opinion.
Charge for the file delivery. After you receive payment, send the files and a letter explaining all the files will be removed from your machines and backups and you will no longer retain any files related to the client, once you have been notified they received the files. Then go in and actually remove everything after you get confirmation of receipt (since they have paid for this).
Remember, even if they pay you, you can't send them any fonts or stock images you purchased and used. Those are generally licensed to you and sharing those items would put you in breach of any license agreement related to them. The client will need to go and purchase any necessary fonts and images to support the designs.
It's the client's problem if they later need something altered or created. You merely need to be certain you are paid for the files.
If the client doesn't want to pay for anything... don't give them the files, don't delete anything. They are your files. No outside party can force you to do anything with your business assets (other than law enforcement).
If the client starts waffling and becomes belligerent and demands files, merely politely refuse unless payment is received.
Worse case scenario, you lose this client (which you're going to do anyway from the sound of things), and the client feels they need to make some spectacle of the matter and file a lawsuit or something. The suit, in my opinion, has a low probability. However, they may bring that up to use as a tactic toward bullying you into doing what they want. While I'm not a lawyer, I doubt they'd win a suit forcing you to remove your business assets.
In short, my stance would be:
I'm happy to. Price for all the files is $X. Once payment is received, I'll forward everything I have and then subsequently remove it all from my systems once I know you've received it.
Client:
We aren't paying
Me:
Then I'm sorry. I won't deliver files, or delete anything, without payment.
Client:
We'll sue!
Me:
Okay. You are free to do what you feel is necessary. Price for my business assets as they relate to the work I've completed for [company name] is $x. I am very happy to comply with your request once payment is received. Thank you.
I've worked on highly secretive projects where company data was private and intended to remain private within a small group. This was always presented to me as highly sensitive data that is "not to be shared with anyone". I'm not talking about any non-disclosure agreement, more general data that I had privy to in order to complete a project (mostly company financials). The clients for these projects always presented this matter up front at the start of projects. So, I was aware of the confidentiality. But even dealing with multi-million dollar companies in this manner, they've never asked that I remove and delete my files, they merely ask that I maintain the privacy of the files.
If these clients were to ask me to remove things and send them all the files, I would certainly understand the request. But I'd also certainly charge them for delivering files.
If they just wanted me to delete files without delivering them, I'd probably negotiate a settlement... as in... I remove the private data from the pieces but keep the design in tact for use as portfolio samples. Giving them approval of the altered designs so they could verify the private information had been removed.
Work-for-hire: if you are under a work-for-hire agreement, or an "employee", then they actually own everything. Comply with their request without payment or issue. The files aren't yours.
:)
This is not legal advice so dont take it as such. You may actually want to read on GDPR. But dont just google for it go directly to the source:
Now GDPR does not say anything about releasing source files. Instead it is pretty reasonable in scope. What it basically says is:
It also tackles a few things about how to collect consent and so on.
So you client can request to review the data you have stored and the policy of data retention that you have (for payment purposes for example). This does not have to be the inDesign file you can copy the relevant parts from the text for example and send it to the client for example, if and only if it is the clients data to begin with.
But i am not a lawyer, i know next to nothing about how the relatively wague definitions would be interpreted by an european lawyer.
PS: If you think GDPR is really strict and heavy handed. Yes, it is just a symptom of having to legalitse reasonable beahaviour. When something you should have been doing anyway gets written into a law all kinds of reasonable behaviour gets lost since a law is a very blunt instrument that applies to everyone in scope, reasonable or not.
GDPR is a complicated situation and it all depends on the kind of contract you have with your client. So this is mostly a legal issue before getting to the InDesign part.
Also, GDPR is a major legal issue for companies and one that involves multiple costs and GDPR does not force you as a third party provider to give away the files for free.
In theory they may take action to protect proprietary work done by third parties, but in practice you on the other hand can set a price for handing over the files.
However, if you did the work as an employee, you probably won't have much to play with and will need to supply everything and remove everything from your personal computer.
Also see this question: Long term client wants working files
I don't understand what GDPR have to do with your files.
If you are working on Personal Data your client provided, then you delete those files and others that contain the data (e.g. work files), and issue a statement to the client that you have done so.
This protects the client in case anything arises; they can show the data was destroyed.
Supplying files for them is a totally different thing and requires a fee. Either described in contract or stated in a completely new one just for handling the files.
Those two things are not connected with each other. Even in GDPR, "good practice" guides state that data files should be destroyed, not returned to the provider.
Under the GDPR you have to remove personal data. It says nothing about your business files or your products. Don't give those away. You're not obliged to give those files.
You're obliged only to provide an overview of the collected data, this could be an text file describing which data you have where. You're also obliged when requested to update the data or remove it.
Also, don't forget Tax laws. Under most tax laws you're required to keep data for X years if you received money for auditing purposes. Deleting this information may actually be illegal/spell a lot of trouble when an audit happens.
What you will have to do is audit which personal information you have of the customer where(which you already should have)
Send screenshots of personal data in the documents you've made. Send a summary of which data you have where. Make a list of data you cannot lawfully delete(printed invoices, bank account excerpts, etc...) but tell him/her when it will be deleted when the auditing term has expired. You can anonimise it in auditing software, make a note that the real information is on the printed archived documents for auditing.
Also document the removal request. Store it printed in a folder somewhere, notify the private entity that that's also a spot where his details will be stored, just so you can cover your ass.
Remember that you can anonymize data instead of straight up deleting it. So changing emails to [email protected] as to preserve accounting software stability etc...)
