The right to be forgotten
The General Data Protection Regulation (GDPR) is a privacy law that aims to protect the personal data of European Union citizens. One of the ways in which GDPR achieves this is by providing individuals with certain privacy rights, including the right to be forgotten.
In this article, we will discuss the following with regard to this right:
- When the data subject can exercise this right;
- Exceptions to this right;
- The obligations of controllers who have made the data public; and
- Timeline for responding to requests.
Exercising the right to be forgotten
Under Article 17 of GDPR, individuals have the right to be forgotten, meaning that they have the right to have you erase the personal data that you have about them. This right can be exercised in the following circumstances:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- The data subject withdraws consent on which the processing is based and there is no other legal ground for processing;
- The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2);
- The personal data have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation in the European Union or Member State law to which you are subject;
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
Exceptions to the right to erasure
GDPR has provided for the following exceptions to the right to erasure, meaning that if an exception applies, you can refuse to erase the data. You can refuse this right where processing of personal data is necessary for one or more of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest or for the exercise of official authority;
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- For the establishment, exercise or defense of legal claims.
If you are processing special categories of personal data, you may refuse a request to be forgotten in the following circumstances:
- If the processing is necessary for public health purposes in the public interest; or
- If the processing is necessary for the purposes of preventative or occupational medicine.
Finally, you can also refuse a request to be forgotten if it is manifestly unfounded or excessive. If you are refusing the request for any reason, you must inform the individual of the denial and provide them with the following information:
- The reason(s) why you are denying the request;
- The right to make a complaint to a Data Protection Authority; and
- The ability to seek to enforce this right through a judicial remedy.
Obligations of controllers who have made the data public
If an individual has requested you to erase their personal data and you have previously made that data public, you must take reasonable steps, including technical measures, to inform other controllers who are processing that data that the individual has made such a request to erase the data by such controllers of any links to, or copy or replication of, that data, When deciding what qualifies as reasonable steps, you should take into account available technology and the cost of implementation.
Timeline for responding to requests
When an individual asks you to erase their data, you must comply with their request without undue delay and within one month of receipt of:
- Any information requested to confirm that individual’s identity; or
- A fee, in certain circumstances.
You may extend this period by a further two months if the request is complex or you have received a number of requests by that individual. If you are using an extension, you must let the individual know within one month of receiving their request and explain why the extension is necessary.
GDPR’s right to be forgotten should not be taken lightly as heavy fines can be imposed for failure to comply. You should have a good understanding of where you store data, who in your organization is responsible for data storage and implement a procedure for response and execution of requests from individuals to be forgotten.