One of the most striking additions introduced in the new General Data Protection Regulation (GDPR) is the far stronger emphasis on the rights of the data subject. There is a complete chapter in the GDPR containing 11 articles devoted to it. In this article, we will discuss one of these rights – the right to erasure (also known as ‘the right to be forgotten’) – in more detail.
Context of the Right to Erasure
Under article 17 of the GDPR individuals have the right to have their personal data erased. However, this right is not absolute and only applies in certain circumstances. It is imperative for an organization processing personal data that it is prepared for the eventuality that the data subject invokes this right. The controller (i.e. the organization) is obliged to react to such requests within 30 days (see recital 59). According to the GDPR, the controller must facilitate the exercising of this right and to offer the means to do so free of charge.
The obligation and the relatively short response time means that the organization must have strong working processes to receive a request, check whether there are reasons to continue processing the data, delete the data if applicable and inform the data subject about the action taken and any reasons to keep (a part of) the data.
Cases in which a Data Subject can Invoke the Right to Erasure
Article 17 states that ‘the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her (…) if one of the following applies:
- The personal data is no longer necessary for purposes they were collected for;
- The data subject withdraws consent for the processing, and there is no other legal ground for the processing;
- The data subject objects (see article 21 on the right to object to data processing);
- The personal data has been unlawfully processed by the controller or a processor;
- The personal data must be erased for compliance with a legal obligation;
- The data subject was a child at the time the personal data has been collected (see article 8 on the conditions of a child’s consent).
If you (the controller) have made the data public, you have the obligation to inform the recipients of the erasure and take ‘reasonable steps’ to have the data removed.
Exceptions to the Right to Erasure
You might be allowed or obliged to keep the data if:
- The right to freedom of expression and information applies;
- You must comply with a legal obligation, e.g. a law on archiving company data for 7 years;
- There are grounds of public interest in the area of public health,
- It is needed for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- It is needed for the exercise or defense of legal claims.
In some cases, it is impossible or very expensive to erase date, e.g. when it is part of a backup file (which cannot be edited) or a microfiche (which can neither be searched nor edited).
The principle of fairness and transparency
Whatever you decide to do in response to a claim on the right to erasure, the GDPR principle of transparency demands that you inform the data subject as soon as possible and within 30 days about your decision and whether you have erased the data. Or, when there is a legal obligation or other reason why you must keep processing the data or part of it, the reason why and for how long (the retention period).
Mind you, just having the data in an archive is well within the definition of ‘processing’, unless you have irretrievably anonymized the data.
This article has been written by guest author Leo Besemer.