1

Under the GDPR, one is entitled to receive any data including CCTV footage that one may feature in if it still exists. However, can one as the data subject also require by request for such footage to be permanently erased, either before, or after, one has received it pursuant to an SAR?

Improve this question

2 Answers 2

Reset to default
6

The Art 15 GDPR Right to Access is pretty absolute, the Art 17 Right to Erasure not so much. Whether you can successfully request erasure of your personal data will depend on the purpose and legal basis for that processing.

Short decision schema to check if erasure should be granted:

  • no, if any of the Art 17(3) exception applies
  • yes, if the data is no longer necessary for the purposes for which it is being processed (Art 17(1)(a))
  • yes, if the legal basis was Art 6(1)(a) consent (Art 17(1)(b))
  • if the data is being processed pursuant to a legitimate interest, yes, if the data subject successfully objected to the processing (Art 17(1(c))
    • yes, if the data is being processed for direct marketing purposes (Art 21(2))
    • yes, if the data subject objects on grounds relating to their particular situation, unless those grounds are overridden by a compelling legitimate interest

For example, CCTV recordings on private property are often stored for some time for a legitimate interest to deter crime and to be able to investigate criminal acts if they should occur. A data subject could object to the recording, but would likely be unsuccessful: it doesn't make sense to let individuals opt-out from security measures, otherwise bad actors could use this to destroy evidence. Thus, the objection and consequently the request for erasure should be denied.

Improve this answer
3

Sometimes - the GDPR and thus the implementing legislation (in this case the Data Protection Act 2018) provides the "right to erasure". But it's far from absolute (since for manifestly obvious reasons such an absolute right would be absurdly open to abuse), doesn't go as far as many people think it does and only applies in set circumstances with quite a lot of exemptions and valid grounds to refuse such a request.

As the ICO describes them valid circumstances are:

  • the personal data is no longer necessary for the purpose which you originally collected or processed it for;
  • you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • you are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
  • you have to do it to comply with a legal obligation; or you have processed the personal data to offer information society services to a child.

NB: In the above text "you" refers to the data controller.

And there's list of processing reasons where the right doesn't apply:

  • to exercise the right of freedom of expression and information; to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.

with some additional ones applying to special category data:

  • if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
  • if the processing is necessary for the purposes of preventative or occupational medicine; for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services. This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).

And on top of the above there's the typical grounds for refusing GDPR requests where the request is manifestly unfounded or excessive.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .