nelsonic
commented
6 years ago @vlbee another great real-world / practical question! 🥇
If the data is integral to the functioning of the B2B application
e.g: Employee A assigns a task to Employee B in a "task/project management tool"
and Employee B then leaves the company and asks for all data relating to them to be deleted,
The "context" would be "lost" in the Task if the event of task assignment were to be deleted...
Typically how this is treated is that the username of Employee B would be "anonymised".
But this is only a "superficial" anonymisation as everyone on the internal team will still know who the person was ... 🙄
If the personal data of the Employee e.g. name, address, social security, passport etc. is stored in an "HR" application, the Employee is within their GDPR right to demand that it is deleted. If this is the case it should be completely deleted within 1 Month.
Follow-up / Related question: What if the employee was "fired" because of unlawful activity and the evidence of that activity is contained within the internal system? Will retaining that data (that the ex-employee created and now is demanding to be deleted) be subject to GDPR regulations...? i.e. could GDPR-enforcement "destroy evidence"...?
As far as we are aware there is no specific provision for this in GDPR ... But I will be personally re-reading the full document over the next few weeks and will have an answer 😉
vlbee
Another question that came up -
If working on a B2B application or web app service on which employees are required to share personal data, what happens when they leave? Can they ask for their data to be removed? Who owns it if it's business related? IE. a company requires you to use Slack and you want to delete all the messages you posted when you leave the company, but if Slack is an official business tool and you are required to use it?