I’ve unsubscribed and my data has been deleted - why?
If you’re reading this article it's likely that you have contacted us because your data has been deleted after you have unsubscribed from our service. This article explains why it has been deleted and why it can’t be recovered. You should read this document thoroughly before taking any further action.
When you created your WriteUpp account you agreed to our Terms of Service. The clause relating to cancellation is shown below:
Article 6 of UK GDPR relates to “Lawfullness of processing”. At the point where you unsubscribe from our service your contract with us and our role as your “data processor” ends. When it ends we have no legal basis to hold personal information relating to your clients, where you are the “data controller”.
Put simply, we cannot comply with UK GDPR if we continue to hold sensitive personal information beyond the term of your contract with us. Doing so would breach your data subject’s rights and could potentially result in fines for us (and you) equalling £17.5 million or 4% of our annual global turnover.
Your professional record-keeping responsibilities are unrelated to our Terms of Service. When you contract with us as your “data processor” you do so in accordance with our Terms of Service. As the “data controller” (i.e. the person or entity that is ultimately responsible for the data) you have a duty of care to:
be aware of your responsibilities under UK GDPR
safeguard your client’s data in accordance with UK GDPR and professional guidance (HCPC)
uphold your professional record-keeping responsibilities
Our responsibility, as the “data processor” is to process the data that you provide to us (i.e. your client data) in accordance with our Terms of Service and Privacy Policy
By cancelling your contract and not exporting your data within the allowed 45 days you may be in breach of both GDPR and/or your professional responsibilities.
We take UK GDPR and client data extremely seriously. It's why we invest heavily in state of the art infrastructure, hosted by Microsoft and we’re independently audited annually against ISO27001 (ISO27001: Information technology — Security techniques — Information security management systems — Requirements). Certification # 275372018. We are also registered with the Information Commissioner’s Office (ICO). Our registration number is Z2865352.
With this in mind and given our very clear responsibilities under UK GDPR we work through a series of steps (outlined below) to ensure that “data controllers” can uphold their legal and professional responsibilities when they unsubscribe from our service.
When you click on the Unsubscribe link in the Account Details section in WriteUpp you are presented with the following screen (this is an example):
It contains a very clear notice explaining that your data will be deleted if you choose to cancel your subscription. It also tells you exactly what data you have in the system so you’re in no doubt about whether or not there is data in your account.
IMPORTANT: We provide this information at this stage so that you as the “data controller” can make an informed judgement about whether or not you wish to cancel your subscription. It allows you to put the necessary plans in place (data export) to fulfil your legal and professional responsibilities before you initiate the cancellation process.
If you proceed at this stage and click on “YES, CANCEL MY SUBSCRIPTION” your data will be queued for deletion 45 days from the end of your last payment cycle.
24 hours after you unsubscribe the following message is sent to the email address associated with the site administrator. It explains that your data will be deleted and links you through to an article explaining exactly how you can export your data out of WriteUpp.
7 days before your data is due to be deleted you receive this email.
To ensure a complete audit trail is maintained we use a special service to deliver these messages which tells us if they have been delivered successfully and opened, as below:
24 hours before your data is due to be deleted you receive the following final warning:
In the event that you contact us via live chat or email asking us to reverse your cancellation we maintain a complete log of all communications that we receive in our support/Help Desk system.
Our Terms of Service require us to delete your data after 45 days, which includes backups. Whether it's data that is live in your account or held within a backup, it's data that needs to be deleted. There is no differentiation between a backup and live data.
In the first instance, you may be able to find another way to recreate the data from within your own organisation.
If that’s not possible and as the “data controller” you will need to make a judgement on whether or not you feel this constitutes a breach of UK GDPR and/or your professional responsibilities and take the appropriate action. Unfortunately, this is not something we can advise you on and if you’re unsure you may wish to seek professional advice.
If you feel that we have failed to fulfil our responsibilities in any way please don’t hesitate to contact the Information Commissioner’s Office (ICO) and we will happily cooperate with any investigation that ensues.
Our ICO registration number is Z2865352.
Terms of Service
When you created your WriteUpp account you agreed to our Terms of Service. The clause relating to cancellation is shown below:
Why is this clause included in our Terms of Service?
Article 6 of UK GDPR relates to “Lawfullness of processing”. At the point where you unsubscribe from our service your contract with us and our role as your “data processor” ends. When it ends we have no legal basis to hold personal information relating to your clients, where you are the “data controller”.
Put simply, we cannot comply with UK GDPR if we continue to hold sensitive personal information beyond the term of your contract with us. Doing so would breach your data subject’s rights and could potentially result in fines for us (and you) equalling £17.5 million or 4% of our annual global turnover.
How does this sit with my responsibilities to hold client/patient records for X years?
Your professional record-keeping responsibilities are unrelated to our Terms of Service. When you contract with us as your “data processor” you do so in accordance with our Terms of Service. As the “data controller” (i.e. the person or entity that is ultimately responsible for the data) you have a duty of care to:
be aware of your responsibilities under UK GDPR
safeguard your client’s data in accordance with UK GDPR and professional guidance (HCPC)
uphold your professional record-keeping responsibilities
Our responsibility, as the “data processor” is to process the data that you provide to us (i.e. your client data) in accordance with our Terms of Service and Privacy Policy
By cancelling your contract and not exporting your data within the allowed 45 days you may be in breach of both GDPR and/or your professional responsibilities.
Duty of Care
We take UK GDPR and client data extremely seriously. It's why we invest heavily in state of the art infrastructure, hosted by Microsoft and we’re independently audited annually against ISO27001 (ISO27001: Information technology — Security techniques — Information security management systems — Requirements). Certification # 275372018. We are also registered with the Information Commissioner’s Office (ICO). Our registration number is Z2865352.
With this in mind and given our very clear responsibilities under UK GDPR we work through a series of steps (outlined below) to ensure that “data controllers” can uphold their legal and professional responsibilities when they unsubscribe from our service.
What happens when you unsubscribe from WriteUpp?
When you click on the Unsubscribe link in the Account Details section in WriteUpp you are presented with the following screen (this is an example):
It contains a very clear notice explaining that your data will be deleted if you choose to cancel your subscription. It also tells you exactly what data you have in the system so you’re in no doubt about whether or not there is data in your account.
IMPORTANT: We provide this information at this stage so that you as the “data controller” can make an informed judgement about whether or not you wish to cancel your subscription. It allows you to put the necessary plans in place (data export) to fulfil your legal and professional responsibilities before you initiate the cancellation process.
If you proceed at this stage and click on “YES, CANCEL MY SUBSCRIPTION” your data will be queued for deletion 45 days from the end of your last payment cycle.
Email Sequence
24 hours after you unsubscribe the following message is sent to the email address associated with the site administrator. It explains that your data will be deleted and links you through to an article explaining exactly how you can export your data out of WriteUpp.
7 days before your data is due to be deleted you receive this email.
To ensure a complete audit trail is maintained we use a special service to deliver these messages which tells us if they have been delivered successfully and opened, as below:
24 hours before your data is due to be deleted you receive the following final warning:
In the event that you contact us via live chat or email asking us to reverse your cancellation we maintain a complete log of all communications that we receive in our support/Help Desk system.
Why can’t you restore the data from a backup?
Our Terms of Service require us to delete your data after 45 days, which includes backups. Whether it's data that is live in your account or held within a backup, it's data that needs to be deleted. There is no differentiation between a backup and live data.
What should I do now?
In the first instance, you may be able to find another way to recreate the data from within your own organisation.
If that’s not possible and as the “data controller” you will need to make a judgement on whether or not you feel this constitutes a breach of UK GDPR and/or your professional responsibilities and take the appropriate action. Unfortunately, this is not something we can advise you on and if you’re unsure you may wish to seek professional advice.
If you feel that we have failed to fulfil our responsibilities in any way please don’t hesitate to contact the Information Commissioner’s Office (ICO) and we will happily cooperate with any investigation that ensues.
Our ICO registration number is Z2865352.
Updated on: 07/11/2022
Thank you!