Should an email from a person requesting erasure of their personal data (e.g. in connection with recruitment, stating that they no longer consent to further processing) and the email response to that person when the controller deletes their data also be deleted? Or can they still be processed?

ANSWER

As a rule, where a request for erasure of personal data is found to be justified, the controller should erase all personal data covered by the request from every medium on which it holds them.

Guided by the accountability principle in Article 5(2) GDPR, the controller should be able to demonstrate that it has fulfilled the request of the data subject. In this case, such confirmation is a data erasure protocol. It is appropriate to include in the protocol:

1. Who erased the data?
2. When was this done?
3. Whose data were erased (here the category of persons should be indicated, e.g. prospective client/job applicant — without specific personal details).

Equally important, such protocols should state that erasure was carried out in accordance with the company's procedure for fulfilling the rights of data subjects.

Request and response content should therefore not be retained, given the risk of an allegation that the right to be forgotten was not fulfilled.