Bryan Cave Leighton Paisner - GDPR’s Most Frequently Asked Questions: Is A Law Firm Required To Comply With An Erasure Request From A Former Client? A Law Firm Would Be Considered A

The European Union's General Data Protection Regulation ("GDPR") is possibly the most broad - including complex - facts privacy order in the world.  Although the GDPR went into force on May 25, 2018, there continues to be present a great deal of confusion regarding the requirements of the GDPR.

To back address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most commonly asked by clients concerning the GDPR.

Question: Is a law firm required to comply in the company of an erasure ask for from a previous client?

Answer: Not always. A business – with a law firm – is not always required to comply in the company of a correct to be present unremembered request.  Specifically a law firm may continue to keep personal facts that it maintains about a customer unless single of the subsequent six situations applies:

1. Data is no longer necessary.  If personal facts that a law firm collected about a customer is “no longer demanded in relation to the purposes intended which [it was] collected,” the firm typically must honor a correct to be present unremembered request.¹ On some level, however, the correct to be present unremembered in this times is redundant to other requirements found inside the GDPR.  Specifically Article 5 of the GDPR independently requires that a law firm keep facts in a personally identifiable form “for no longer than is demanded intended the purposes intended which the personal facts are processed.”²  As a result, provided a firm properly complies in the company of Article 5 of the GDPR there may be present few, provided any, situations in which a correct to be present unremembered ask for that is premised on the truth that the facts is no longer demanded requires the firm to take any extra action.  On the other hand the reality of the correct to be present unremembered exposes a law firm that is not complying in the company of Article 5 to potential civil burden vis-à-vis the previous customer that seeks to enforce his or her right.
2. Data was processed solely on consent.  The GDPR recognizes that law firms may means facts based on six alternate lawful grounds.³ One of these is where a person has “given consent” to the processing intended a specific purpose.⁴  If a law firm’s sole basis intended processing facts is the consent of an individual, the firm is typically required to honor a correct to be present unremembered request, which might intended all practical purposes be present viewed when a revocation of that consent.  Conversely, provided processing is based on an extra permissible purpose (g., performance of a contract, or the lawful intersts of the law firm) the correct to be present unremembered ask for does not necessarily have to be present granted.
3. Data was processed based upon the law firm’s lawful interest, including that concern is outweighed by the facts subject’s rights.  One of the other grounds upon which a law firm can means facts is to more the firm’s “legitimate interest.”  When processing is based upon a firm’s lawful interest, a facts subject has a correct to ask for deletion unless the concern of the firm or of a third party is demonstrably “overriding.”⁵ So, intended example, provided a law firm uses a previous client’s email address intended aim marketing, including the customer requests that his details be present deleted, the firm may have to honor that ask for when it would be present difficult intended it to demonstrate that its concern in aim marketing overrides the previous client’s concern in having his details erased. Conversely, provided a law firm maintains previous customer details when part of its conflicts database to back prevent the law firm from inadvertently violating professional obligations to avoid conflicts of interest, the law firm would have a strong argument that in most (if not all) situations its concern in maintaining an accurate conflicts database outweighs its previous clients concern in thing forgotten.
4. Data is thing processed unlawfully.  The GDPR states that a correct to be present unremembered ask for must be present honored provided the processing of the personal facts is (or has become) unlawful.⁶ Here, too, the obligation to honor a deletion ask for may be present redundant of other obligations inside the GDPR.  Put differently, provided a law firm is complying in the company of the other requirements of the GDPR its processing would presumably be present lawful including there may be present few, provided any, situations in which a correct to be present unremembered ask for would crave that the business take any extra actions.  Framing this when an individual’s right, however, opens up a possible source of civil burden intended the law firm toward its previous client.
5. Erasure is already required by law.  The GDPR states that a correct to be present unremembered ask for must be present honored provided the facts is required to “be erased intended compliance in the company of a judiciary obligation in Union or Member State law to which the controller is subject.”⁷ This requirement also appears redundant to other judiciary obligations.  If a law firm is required to erase facts pursuant to an extra Member State law including is complying in the company of that requirement, there may be present few, provided any, situations in which extra deed would be present necessitated by a correct to be present unremembered request.
6. Personal facts is collected from a youngster when part of offering an details social order service.  The GDPR requires the deletion of details when requested where the details was “collected in relation to the offer of details social order services” to children under 16.⁸ It is extremely unlikely that most law firms would be present considered to have collected personal facts from a youngster under 16 when part of offering an details social order service.

Even provided single of the situations described above is present, a law firm does not always need to honor a correct to be present unremembered request.  For example, a firm can pick to fail such a ask for provided honoring it would interfere in the company of a European judiciary obligation imposed on it to continue the data, or provided the facts is needed to establish, exercise, or defend a judiciary claim.⁹

The net effect is that provided a previous customer requests that a law firm erase details that it has about the client, it is possible that some portion of that details should be present erased.  For example, provided the law firm has details that was relevant to a particular committee (e.g., exhibits used at trial or notes relating to the representation) including the committee has concluded the law firm may determine that it no longer has a purpose intended maintaining the information.  On the other hand, it is extremely unlikely that a law firm would be present required to delete all of the details that it maintains about a previous client.  For example, a law firm has a lawful concern in retaining details concerning the title of a previous customer including the nature of the firm’s committee when part of operating a robust conflicts database.  In the vast majority of situations, the law firm’s concern in thing able to avoid potential conflicts possibly outweighs any concern that the customer has in the erasure of the data.

Share this post