Employers should have in place a process to delete former employees’ information – including public facing information and photos – to meet their retention limitation requirements, according to the Belgian Data Protection Authority.
And both European Union and Californian employers should also take note!
Here are some key points:
- Ideally, an erasure request should result in the deletion of personal data within one month (Articles 12(3) and 17(1)(a) GDPR) (45 days in California). However, if you reply on time (30 days EU, 45 days CA), the actual deletion of the personal data may require more time because of the complex technical and operational implications of deleting the personal data.
- When a staff member leaves a job, you should make an effort to remove the following information as soon as possible from the employer website/social network page: the identity, function and photograph(s) of the data subject. (A few weeks is an adequate time frame to remove such elements.)
- You should put in place a procedure for staff departures and other data protection issues that need to be addressed in situations like the present case. If you do not delete the data on your own initiative, you should react as soon as possible when you receive an erasure request.
- The period within which deletion should take place (both on the controller’s own initiative or following a request from a data subject) could vary depending on several factors, such as whether or not the controller is a large company, the nature of the function of the data subject and the context of the departure of the data subject. In this case, the personal data remained visible on the website for 7 months (period between the dismissal and the filing of the complaint at the DPA). The DPA deemed this period ‘a priori’ excessive.