Article 17 of the EU General Data Protection Regulation (GDPR), the “right to erasure” (also known as the ‘right to be forgotten’), allows individuals to request the removal of personal data that an organisation holds on them. Individuals can exercise this right when:
- The controller no longer needs the data for the purpose that it was originally collected;
- The individual withdraws consent;
- The individual objects to the processing and the organisation has no overriding legitimate interest in the data;
- The controller or processor collected the data unlawfully;
- The data must be erased to comply with a legal obligation; or
- The data was processed in relation to the offer of information society services to a child.
Organisations can refuse to comply with a request for erasure if:
- The processing is protected by the right to freedom of expression;
- Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- The data is for health purposes in the public interest;
- The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
- The processing is necessary to exercise or defend legal claims.
What does this mean for data processors and controllers?
Data protection specialist Carl Gottlieb believes that the exceptions to the right to erasure will apply often. Organisations should therefore keep a close eye on the details of each request and find a way to quickly identify whether an exception applies.
Gottlieb writes: “Erasure is an area where there is no black and white on what must be done. Every organisation, every record and every piece of technology used will require a case by case assessment. For example, some processors provide more granular control of deletion of individual records in cold backups. Some provide none.
“The key is to focus on what your rationale would be if you were stood in front of the regulator […] or a judge in court. Would you be confident that you had a justifiable position on doing the ‘right thing’ by the data subjects, doing the best you could and had given this enough focus and documented thought?”
There’s much more to learn
The right to erasure is one of eight data subject rights enforced by the GDPR. Our blog covers the introductory details, but those who want an in-depth understanding of the GDPR and data subject rights should consider our Certified EU General Data Protection Regulation Foundation (GDPR) Training Course.
This one-day course is delivered by an experienced data protection practitioner and is suitable for directors or managers who want to understand how the GDPR affects their organisation, employees who are responsible for GDPR compliance, and those with a basic knowledge of data protection who want to develop their career.