The right to be forgotten
Mike purchased a Volta Superbike five years ago with a two-year guarantee. What data may Volta Superbikes capture, and what may they use it for? How long may the data be stored? When can Mike request the deletion of his data? The right to be forgotten sets guidelines and BSI CRM supplies an intelligent deletion concept to implement them.
Mike shared his data with Volta when he bought his superbike five years ago. Since the purchase was made in the EU, the European General Data Protection Regulation (GDPR) applies. With the “right to be forgotten,” it stipulates among other things when and how long Volta may store Mike’s data.
Data storage only with legitimacy
Volta may only store Mike’s data as long as legitimacy exists, e.g. if the data is needed to fulfill a contract or legal obligations or if Mike has given his permission to do so. For Volta this means: they may save Mike’s data during the sales phase and guarantee phase. After the guarantee phase, Volta must archive the data for ten years due to the legal retention obligations. Afterwards, Mike’s data must be deleted, unless Mike gives permission for his data to be further processed for advertising or information purposes.
Privacy by design
With BSI CRM, Volta has an application that ensures Mike’s data protection. BSI CRM follows the “privacy by design” principle (data protection through technology). In other words: the functionality for data protection is anchored in the software so that the end customer’s data protection is ensured by the technology. Data protection is not implemented reactively as a remedy, but proactively as a precaution.
Intelligent deletion rules
Deletion of the data takes place automatically according to individually set deletion rules. The deletion rules preconfigured in BSI CRM can be adjusted by Volta according to their needs and to the precise local legal situation. Volta can set the deletion rules per entity (order, communication, person, etc.). The filter defines when the deletion rule should take effect, e.g. only if the person has no pending contracts or orders. With the locking and deletion periods, Volta can determine when the data is to be locked or deleted.
Delete or lock?
Volta can both set up retention obligations and configure deletion rules in BSI CRM. With the retention obligations, data that must be archived for legal reasons can be locked; e.g. Volta must archive order data for ten years after the guarantee has expired. Locked data records can only be found and used by CRM users with specific permissions. “Delete” means that the personal and company data, as well as all links, such as to communications or orders, are removed. Deletion of the data is irreversible.
Deletion upon customer request
Mike can explicitly request that his data be deleted. Volta can delete his data record through the menu bar or through a process. Prior to deletion, a review of the defined retention obligations takes place. The authorization to delete people and companies can be limited by Volta through the user permissions.
Legally secure analysis data and satisfied customers
While links and information are deleted through the deletion of data, the data can be further used in an anonymous form for reports and analyses; e.g. Volta will continue to be able to see how many people were written to in a marketing promotion and what the reaction was, but not the specific people. This follows the CRM philosophy of Volta Superbikes: “zombie users” are removed, and what remains is up-to-date data with the customers’ consent as well as anonymous, legally secure data for analysis purposes.
What is the GDPR?
The General Data Protection Regulation (GDPR) standardizes the rules for the processing of personal data by private companies and public authorities throughout the EU. It is intended to ensure the protection of personal data within the EU as well as free data traffic within the European domestic market. Under Article 17, the ordinance clarifies the “right to erasure” and the “right to be forgotten.” The ordinance came into force on May 24, 2016, and must be applied by all companies as of May 25, 2018. Source: www.dsgvo-gesetz.de