GDPR Docs

Article 17: Right to erasure ('right to be forgotten')

Under the General Data Protection Regulation (GDPR), individuals have the right to request the deletion or removal of personal data if there is no compelling reason for its continued processing. This right, known as the right to erasure or ‘right to be forgotten’, is enshrined in Article 17 of the GDPR. However, navigating the complexities of this right can be challenging for businesses and individuals alike. In this blog post, we will delve into the specifics of Art. 17 GDPR, exploring the implications and requirements of the right to erasure and how it impacts data subjects and controllers.

Key Conditions for Exercising the Right to Be Forgotten

  • Inaccuracy of Data: The individual can request deletion if the personal data held is inaccurate or incomplete.
  • Unlawful Processing: If the data has been processed unlawfully, the individual has the right to have it erased.
  • Withdrawal of Consent: If the processing is based on the individual’s consent and they withdraw it, they can request deletion of their data.
  • Object to Processing: When an individual objects to the processing of their data based on legitimate interests, they can seek erasure.
  • Compliance with Legal Obligation: If the data needs to be deleted to comply with a legal obligation under EU or Member State law, the individual can request erasure.
  • Data No Longer Necessary: If the personal data is no longer necessary for the purposes for which it was collected or processed, an erasure request can be made.

Exceptions to the Right to Erasure: When Can Data Be Retained?

  • Compliance with a Legal Obligation: Data may be retained when necessary to comply with a legal obligation imposed on the data controller.
  • Performance of a Task in the Public Interest: If the retention of data is necessary for performing a task carried out in the public interest or in the exercise of official authority, it can be retained.
  • Defence of Legal Claims: Data may be retained where it is necessary for the establishment, exercise, or defense of legal claims. This means if there is an ongoing litigation or dispute, the data may be kept until the matter is resolved.
  • Historical, Statistical, or Research Purposes: If the data is being retained for archiving purposes in the public interest, for scientific or historical research, or for statistical purposes, and if this is permissible under applicable EU or Member State law, it can be retained.
  • Consent Withdrawal: If the individual has withdrawn consent for processing but other legal grounds for processing apply, the data must still be retained under those legal grounds.

Consequences of Non-Compliance with the Right to Erasure

  • Legal Risks: Organizations that fail to comply with requests for data erasure may face legal action from affected individuals. This could result in lawsuits, which can be expensive and time-consuming.
  • Fines and Penalties: The GDPR authorizes supervisory authorities to impose significant fines for non-compliance. Companies can be fined up to 20 million Euros or 4% of their annual global turnover, whichever is higher.
  • Reputational Damage: Organizations that do not respect individuals’ rights under GDPR may suffer damage to their reputation. This can lead to loss of customer trust and potentially decrease business.
  • Regulatory Scrutiny: Non-compliance can trigger investigations from data protection authorities. This can result in additional scrutiny of the organization’s data practices and may lead to further requirements for compliance.
  • Remedial Actions: Organizations may be required to take corrective measures to comply with the GDPR, which can incur additional costs and resources.
  • Increased Oversight: Consistent non-compliance may result in heightened monitoring by regulatory bodies, leading to more frequent audits and reviews of the organization’s data handling processes.

The Process of Requesting Erasure of Personal Data

  1. Identify the Data Controller: To begin the request, you must determine who is processing your personal data. This entity is known as the data controller and is responsible for managing your data.
  2. Draft Your Request: Create a formal request for the erasure of your personal data. Include essential information such as:
    • Your name and contact information
    • A clear statement that you are requesting the erasure of your data
    • Details of the data you want erased
  3. Submit Your Request: Send your written request to the data controller. This can often be done via email or through an online form available on their website.
  4. Await Response: The data controller is required to respond to your request without undue delay and within one month of receipt. They may extend this period by an additional two months for complex requests, but they must inform you of the delay and reasons for it.
  5. Evaluate the Response: Upon receiving a response, the data controller may:
    • Confirm whether your data will be erased
    • Inform you of the next steps if your request is fulfilled or if additional actions are required on your part.
  6. Escalate If Necessary: If you are not satisfied with the response or if your request is denied unjustly, you have the right to lodge a complaint with a supervisory authority in your country. You can also seek judicial remedy.
  7. Keep Records: Document all communications with the data controller regarding your erasure request. This information may be helpful if you need to escalate the situation.

Conclusion

In conclusion, the Art. 17 GDPR Right to erasure (‘right to be forgotten’) is a crucial aspect of data protection and privacy regulations. It gives individuals the right to request the deletion of their personal data under certain circumstances. It is important for organizations to understand and comply with this right to protect individuals’ privacy rights and uphold legal obligations. Organizations should take the necessary steps to ensure that they are able to facilitate requests for erasure in a timely and efficient manner.