Data Protection
What is the difference between data controller / data controller agreements and data controller / data processor agreements?
There are two ways for organisations to share personal data. The appropriate type of agreement will depend upon the relationship between the organisations.
Data Controller / Data Controller agreements
The relationship between TPO and its Members is classified as a data sharing arrangement between data controllers. This means that both organisations determine the purposes for which and the manner in which the personal data is processed. This relationship has been documented in our Data Sharing Agreement with Members.
Data Controller / Data Processor agreements
The other form of data sharing arises where a data controller shares data with another party that processes personal data on its behalf. Under data protection legislation, those organisations are known as ‘data processors’.
We recommend that if you have not done so already, you should be reviewing your data sharing arrangements with third party suppliers and service providers.
For more information, please see the ICO website:
- https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/contract/
- https://ico.org.uk/media/for-organisations/documents/1068/data_sharing_code_of_practice.pdf
What do I do if an individual asks to be forgotten?
Individuals have the right to request for their personal data to be deleted, also known as the right to be forgotten. An individual has the right to request to be forgotten data if one of the following applies:
- The personal data is no longer necessary for the purpose you originally collected it for.
- The individual withdrew their consent to the data processing activities and there is no other legal justification for processing applies.
- The data subject objects to processing for direct marketing purposes.
- You unlawfully processed the personal data.
Steps to follow:
If you receive a request to be forgotten, you will need to consider whether you can agree to “forget” the individual by deleting their personal data from your organisation (both in electronic and paper format). The answer will depend upon your relationship with that individual.
For example:
- Former client
If the request is received from a former client, you will need to consider whether you can comply with their request or not. When handling their request, you will need to consider why you hold their personal data and whether you have a legal justification for retaining their personal data. It may be that you need to retain the personal data for the purposes of your data retention policy. For example, it is not uncommon for organisations to retain certain information about a transaction with an individual on the basis that the information may need to be maintained due to regulatory requirements (eg: health and safety / as required by HMRC).
Commonly, organisations will want to retain personal data in order to defend future legal claims being brought against them – for example breach of contract / negligence. Accordingly, the organisation would be entitled to rely on the statutory limitation period as the reason for refusing a request to be forgotten.
Meanwhile, when considering the request, you may be able to reduce (but not delete completely) the amount of personal data that you hold about the individual. - Existing client
Where the request is received from an existing client, you will be able to explain to the client the consequences of agreeing to comply with their request. In this case, you need to process their personal data in order to perform the contract with them to provide the services. You would need to explain that if you were to exercise their request, you would no longer be able to continue to act for them.
It will then be up to the individual to decide whether or not they wish to continue to instruct you. Nevertheless, in the event that you have provided a service to an existing client, you may not be able to agree to exercise the request to be forgotten entirely, based on the potentially legitimate purposes of defending future claims (as set out above). - Current / prospective / former employees
A similar rationale will apply in the case of employees who seek to exercise their right to be forgotten – whether current, prospective or former. - An individual you send marketing materials to
In the event that the request to be forgotten relates to marketing activities, we anticipate that the individual’s personal data will need to be deleted from your marketing mailing lists (“forgotten”).
However, it might be that the individual is an existing / former client and therefore you will need to apply the above tests to establish whether you can agree to forget the individual in their entirety or whether in fact you have legitimate interests in retaining some of their personal data relating to the services delivered and the statutory limitation period.
For more information, please see the ICO website:
Establishing a retention policy - what do I need to do?
It is advisable to implement a document retention policy that determines the reason and period of retention for the personal data that you process within your organisation.
You need to:
- Establish and adhere to standard retention times for categories of information held on the records of individuals (e.g: employees (former / current / prospective)); customers (former / current / prospective); suppliers (former / current / prospective) etc.
In doing so:
- Base the retention times on business need taking into account relevant professional guidelines and a risk analysis approach;
- Assess who in the organisation is responsible for the retention of the records;
- Make sure no one retains information beyond the standard retention times unless there is a sound business reason for doing so;
- If possible establish a computerised system which flags information retained for more than a certain time as due for review or deletion.
For more information, please see the ICO website: