This site is intended for Healthcare Professionals only

General Data Protection Regulation

NPA Essential

General Data Protection Regulation

The "right to erasure" only applies in certain circumstances, including where the:

  • Personal data is no longer necessary for the purposes it was collected or processed
  • The individual withdraws consent for the lawful processing of personal data and there is no other lawful basis for processing individual objects to the processing of their personal data and there is no overriding legitimate interest to continue processing
  • Personal data was unlawfully processed
  • Personal data must be erased to comply with a legal obligation.

However, requests can still be rejected in certain circumstances. For example, in order to comply with a legal obligation for the performance of a public interest task or exercise of official authority or if it is in the public interest, for public health purposes.

Health data is under a special category under the GDPR which speci es two circumstances where the "right to erasure" will not apply:

1) Necessary for public health purposes in the public interest. This is to ensure a high standard of safety and quality healthcare, medical products and medical devices.
2) Necessary for the purposes of preventative or occupational medicine. For example, the processing is necessary for medical diagnosis, providing healthcare or managing healthcare systems/services. This is only applicable if the personal data is processed by, or under the responsibility, of a professional subject to a legal obligation of professional con dentiality/secrecy, such as a healthcare professional.

Please note: The lawful basis for processing personal data and special categories of data when dispensing private and NHS prescriptions is "processing is necessary for the performance of a task carried out in the public interest or in the exercise of of cial authority vested in the controller".

Distance selling pharmacies should consider what records they are keeping. The GPhC singles out "P" medicines where no records would be kept following an over-the- counter transaction but would be required of a distance sale.

Dealing with an individual's request to delete their data

You are required to deal with the request without undue delay and respond within one month of receiving the request. The timeframe for responding to requests to delete an individual's data may be extended in some cases only by a further two months. However, you must inform the individual without undue delay and within one month of receiving their original request explaining why additional time is required.

The ICO say it is "unlikely to be reasonable" to request additional time if: to do so is obviously unfounded or excessive; an exemption applies, or; you require additional information to con rm the individual's identity.

If you refuse the "right of erasure" within a month you must provide details of: the reasons for refusal; the individual's right to make a complaint to the ICO; the individual's ability to seek enforcement of the "right of erasure" through a judicial remedy.

If the individual's personal data has been disclosed to third parties, the individual and the third party must be informed of the erasure request - unless it is not possible to do so, or requires disproportionate effort.

The "right to restrict processing".

Pharmacies can suggest individuals can exercise this right which means although the pharmacy can store the personal data (for reasons explained above), it will be blocked/suppressed by the pharmacy from further processing. It is applicable in certain circumstances, such as:

- The accuracy of the personal data is contested - processing of the individual's personal data should be restricted until the organisation has veri ed its accuracy.

- The processing of the data is unlawful and the individual does not request for the right of erasure, instead requesting restriction.

- The organisation no longer requires the data for processing but it is required
by the individual for the establishment, exercise or defence of legal claims.

- If an individual objects to the processing of their data but processing is required for the performance of a public interest task or purpose of legitimate interests, and the organisation is considering whether their legitimate grounds override those of the individual.

Kind regards,

Leyla Hannbeck MSc, MRPharmS, MBA, MA

Director of Pharmacy, NPA

For further information email at or call 01727 891800.

Copy Link copy link button

NPA Essential