Reading time: 6 minutes

Your business will likely deal with your customers’ personal information, such as their physical addresses or payment details. This means you have certain legal obligations regarding what access customers have to the personal information you hold. You must store customer data securely, but what happens when customers want you to delete their personal information? This article will detail:

  • what kind of access customers have to their personal information; and 
  • whether you have to comply with any requests for erasure.

My Business’ Privacy Obligations

If you deal with any information that can identify an individual, the law has certain rules around how you should collect, store, use and share that information.

This applies to your employees as well as your customers. You can only collect information for a specific business purpose, and you must store it securely. You cannot: 

  • hold it for longer than necessary; or
  • share that information with others (unless that is the purpose you collected the information for, such as advertising, or you have the person’s permission).

If there has been a privacy breach in your business, you must take all steps to remedy it as soon as possible. If that privacy breach is serious and likely to cause harm to someone, you need to notify both the: 

  • person involved; and 
  • Privacy Commission.

As long as you carry out business in New Zealand, these laws apply to you. If customers are unsatisfied with how you have handled their information, they can complain to the Privacy Commission. The Privacy Commission will then investigate and deal with the situation accordingly, with:

  • compliance notices; 
  • fines; or
  • further legal proceedings.

Customer Access to Their Personal Information

Customers have a right to ask you to:

  • confirm whether you hold certain information about them; and
  • show them that information.

Once you receive such a request, you have to respond as soon as practicable and within 20 working days of receiving it. During this time, you have to investigate the request and see whether you have the information. 

You must also decide how you will respond and whether you have any legitimate reasons to refuse. If you decide to refuse access, you have to tell the customer why. However, they can still complain to the Privacy Commission if they do not agree with your reasoning. 

Refusing Customer Access

You can refuse to give a customer information if:

  • you cannot easily retrieve it;
  • doing so would breach another person’s privacy;
  • doing so would cause danger for another person;
  • it would negatively affect their mental health;
  • you do not have it;
  • someone gave it to you in confidence; or
  • the information request is trivial or frivolous.

Because you are a privately owned business, you can charge for access to customer records for checking personal information, as long as the price is reasonable.

Deleting Customer Information

Customers also have the right to ask you to correct or change their information, which would include deleting it. They may do so if they find you hold information about them that is:

  • incorrect;
  • out of date; or 
  • available online without their knowledge.

For example, a customer may have changed addresses. They can ask you to update their records with their new address, and delete their old one.

This could mean:

  • deleting their personal information from your website; or
  • destroying physical documents in your records. 

Can I Refuse a Customer’s Request to Delete Personal Data?

As with accessing information, a customer must be entitled to ask for a correction or deletion. This means that the:

  • personal information must be about that particular customer; or
  • person must be acting on behalf of someone else, with written permission to do so.

If they do not meet this requirement, they cannot ask you to amend the information.

Whilst customers can ask you to correct or delete their personal data, they cannot force you. That is because you are allowed to hold information as long as it fulfils its intended purpose. If you are still holding information for a specific purpose, you do not necessarily have to delete it.

If you believe that the information is already correct, or you cannot amend or delete it because it is a historical record, then you do not have to comply with this request. A customer can ask that you attach a statement to said information making a note of their deletion request, along with why you refused to do so.

Keeping Accurate Information

However, a customer can still complain to the Privacy Commission, claiming that you have breached their right to correct their personal information. If you continue to hold information about them that is untrue, or did not have a legitimate reason to refuse, you could face legal penalties.

When deciding whether to refuse a deletion request, remember that you:

  • have an obligation under privacy law to ensure that the information you hold is correct and accurate;
  • cannot store information for longer than you need it; and
  • cannot hold information for a reason outside of its intended purpose.

Key Takeaways

Customers have the right to ask you to delete their data if they believe it is incorrect or out of date. You also are not allowed to keep information if you do not have a reason to. You can refuse such requests if you believe the information you hold is accurate, and you still need to hold it. If you would like more information or help with your business’s privacy obligations, contact LegalVision’s New Zealand privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is personal information?

Personal information is data that can identify an individual. This includes full names, photos, physical addresses and email addresses.

Can a customer ask me to show them what personal information I have?

A customer can ask you to show them what personal information of theirs you have if it is about them specifically. Once they ask you, you have to respond within 20 days.

Can I refuse to let a customer see their personal information?

Generally, customers have a right to access any personal information you hold about them unless an exception applies. Such exceptions include that it would breach someone else’s privacy or that giving them the information would cause danger.

Can customers ask me to delete their personal data?

A customer can ask you to correct their data if they believe it is incorrect, which includes deleting it. If you think the information is actually correct, then you can refuse. However, a customer can ask you to attach a statement to the information detailing their request and why you refused.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards