The main objective of the new General Data Protection Regulation (GDPR) is to protect the rights and freedoms of the citizen, in particular, the fundamental right to the protection of personal data. Recitals 1 and 2 refer to this, and a complete chapter of the GDPR is devoted to ‘the rights of the data subject’. In this article we will discuss one of these rights – ‘the right to be forgotten’ (also known as the right to erasure) – in more detail.
The Right to be Forgotten in Context
The right to be forgotten, as defined in article 17 of the GDPR, gives individuals the right to have their personal data erased in certain circumstances. The limitation will not be surprising; nobody really expects that they can instruct the tax authorities to forget about them for the rest of their lives. Neither can this right be used to rewrite history, e.g. for a politician to have an unfortunate remark he made be deleted from a news website. You can only invoke this right, free of charge, when:
- Your personal data is no longer necessary for the purposes they were collected for;
- You have withdrawn consent and there is no other legal ground for processing;
- You have objected to the processing (see article 21);
- Your personal data has been unlawfully processed;
- Your personal data must be erased for compliance with a legal obligation to which the controller is subject;
- You were a child at the time your personal data has been collected.
The controller is obliged to erase the pertaining data within 30 days, and to take reasonable steps to have the data removed if it was published somehow. Unless one of the exceptions stated in article 17 sub (3) applies, for then the controller must inform you which personal data must be retained, and why.
Such exceptions may be that the right to freedom of expression and information applies, or that the controller must comply with a legal obligation such as a law on archiving company data for a number of years. Exceptions can also be grounds of public interest in the area of public health, archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the exercise of or defense against legal claims. Sometimes it is impossible or very expensive to erase data, for instance when it is part of a backup file or a microfiche.
Why would you want to make use of the Right to be Forgotten?
All data available on you is valuable information for companies. Anything you do and write on internet is collected and combined. Each of those little pieces of information say hardly anything about you, but combined they create a very detailed ‘online profile’. Marketers buy the contact details of people who – according to their profile – belong to the target group for the products and services they offer.
Websites usually label this as a good thing: they try to predict what you need and help you find it. So what is the problem, they’ll ask you? The problem is this profile, which in fact is more detailed than what the East German Stasi ever dreamt of – and potentially just as dangerous. You do not know who has this information and what they do with it, but whether you want to or not, you keep adding to it every day whenever you visit a web page.
What if your data is being processed in a way that you don’t want it to be?
Even when you are minimizing the personal data you give to organizations, you might still find that organizations use your data in a way you don’t want them to. If this personal data is directly obtained from you – such as on websites and web shops – GDPR article 13 requires that you are informed about which data they process, why they process it and whether your data is transferred to some ‘third party’. Often – contrary to the GDPR principle of transparency and fairness – this required information is hidden using a link in a small font at the very top or bottom of the web page, leading to a page with a name like ‘privacy statement’. Don’t forget, their business model is to make money by selling your personal data.
So whenever your consent is asked for ‘a cookie’ to be stored on your device, do take the time to find and read the privacy statement and opt-out of everything that is not strictly necessary for the website to operate. If you can’t opt out, consider whether you want to do business with them.
Even then, you may find that a company is processing your personal data without your consent and without having told you what they do with your data. Then it is a matter of withdrawing your consent.
(1) The first step is to send them a letter or e-mail in which you ask them which personal data they have about you, what their legitimate purpose is and what they intend to do with your data.
You may also immediately add the next two steps, i.e.
(2) You state that in case the controller thinks you have consented in the past, this consent is now withdrawn.
(3) That you object to the processing of your personal data for direct marketing purposes according to article 21 sub (2) of the GDPR.
The controller is obliged to react within 30 days. So, make sure you keep a copy of your letter or e-mail.
(4) If you receive no answer, or the answer you receive is a refusal on grounds that you don’t understand or don’t agree with, just file a complaint with the supervisory authority in your country. There are no costs involved. You already have the advantage, because the GDPR requires controllers to support data subjects when they want to use their rights according to the GDPR.
Of course, you may very well receive a detailed answer, specifying exactly which the data they have on you and the legitimate reason they have to process it. If you understand and agree, check whether the data is correct and have it corrected if not. And reread point (3) above. The fact that a company wants to make a profit is in itself not enough to make it a legitimate reason to process your data. Because it is your data, not theirs.
 History has proven time and again that seemingly innocuous personal data can suddenly become dangerous. In World War II and, more recently, in Bosnia your religious background or even just a family name that reveals such a background could be life threatening.
This article has been written by guest author Leo Besemer.