Dr. Fred Logue:

The Deputy is correct in regard to the deletion of personal data subject to a dispute and a subject access request. I have seen that in at least two or three cases. First, it is a breach of the GDPR because personal data have to be retained for as long as is necessary for the purpose. For the purpose of a subject access request, it is necessary to retain it. In terms of the DPC, it does not get a copy of the personal data that are being disputed. It is asked to adjudicate on a dispute over access to information, but it does not ask for a copy of the information. I find that unbelievable, to be honest. Second, in one particular case I asked the DPC to use its powers to order the controller not to destroy the personal data because the controller had told us that it would destroy the personal data upon a certain event happening, which was relatively likely. It took nine months to get the DPC to even engage with that and in the end, it would not exercise its powers. The DPC speaks about fair procedures and it having to take time to ensure fair procedures, but fair procedures also have to be applied in regard to what the data subject is trying to achieve. That is an important point. There is nothing in place that, first, prevents the information being deleted, second, the commission is not taking copies of the information that is being disputed. That needs to be looked at.