The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
What is the right to erasure?
The right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month. You must also take reasonable steps to verify the person requesting erasure is actually the data subject.
Article 17 Part 1 states:
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a legal ruling or obligation.
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
- The data being processed is necessary for public health purposes and serves in the public interest.
- The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of a legal defense or in the exercise of other legal claims.
Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.
As you can see, there are many variables at play and each request will have to be evaluated individually. Add to that the technical difficulty of keeping track of all the places an individual’s personal data is stored or processed and it is easy to see why the GDPR’s new privacy rights can be a significant compliance burden for some organizations.
If you are just getting started, or still on your journey to meeting GDPR compliance, contact us:
Expert help, at your service
If you find all this overwhelming and don’t know where to start to address your GDPR compliance solution, we can help. Once you are ready to go, we’ll help you get up in running in days, so you don’t have to integrate a bunch of security compliance software tools or hire more people.
Note: I am not a lawyer, not even an aspiring lawyer. This blog does not constitute legal advice, only my interpretation and summary of certain requirements of the GDPR. Readers are encouraged to obtain legal advice from a qualified professional in respect to their organization’s obligations.