Explaining the right to be forgotten under UK GDPR (2023)

GDPReu.org explain what qualifies for a valid request for the right to be forgotten or the right to erasure as part of the UK version of the GDPR.

Does the right to be forgotten still apply in the UK?

While the Right to be Forgotten initially formed part of the EU’s landmark legislative changes in the 2018 General Data Protection Regulation (GDPR), you may be wondering how Brexit has impacted this.

Does the right to be forgotten exist under the UK General Data Protection Regulation?

In short, yes. Based on the European data protection law, the UK GDPR also contains the right for individual data to be forgotten.

Also called the right to erasure, the Right to be Forgotten is not, however, absolute. In order to erase personal data, certain criteria must be met. Let’s break it down further.

When can a data subject erase personal data under the UK GDPR?

The Right to be Forgotten exists under Article 17 of the UK GDPR, which is heavily based on the legislation created by the European Union.

The right for the data subject to make a right-to-be-forgotten request only applies to data that is held at the exact same time that the request is made. Furthermore, this is not a guaranteed right to have personal data erased and only applies under specific circumstances.

Here’s when the right to be forgotten applies

Internet users and individuals can exercise the Right to be Forgotten if the following criteria are met (this is based on EU law but since Brexit is now UK law).

  • The personal data is no longer relevant for the original purpose of collection.
  • The data controller is relying on the individual’s consent on a lawful basis for retaining the data, but the data subject objects later and withdraws their original consent.
  • The personal data relating to the individual no longer has any legitimate reason for the data processor to keep it.
  • The personal data processing is for direct marketing purposes and the person now objects to it.
  • The data protection laws prove that private information and data collection has been processed unlawfully.
  • The data controller or processor must comply with a legal obligation to delete data.
  • The data subject’s right has been infringed because they are a child and the personal data has been processed in order to offer information society services.

Legal claims and a valid verbal request to erase data, where the data subjects are children, have even more emphasis under this data privacy law.

If data is collected from children for processing purposes, then the holder of the data must comply with any request for erasure under the data protection directive. This continues to be the case when the child grows up, as it’s assumed they couldn’t have initially been aware of the risks when underage.

There is a lot of detail about the right to be forgotten. children’s privacy and data protection rules on the website of the UK data protection authority, ICO.

When does the right to be forgotten not to apply?

Even a valid request for data to be erased does not apply under the UK GDPR for the following reasons:

  • If the data processing is necessary in order to exercise the right of freedom of information and expression.
  • If personal data related to the erasure request is necessary to comply with a legal obligation.
  • If such data is necessary in order to carry out a task for an official authority or that’s in the public interest.
  • If the data is necessary for scientific research, historical research, statistical purposes or for archiving purposes, and if the data is deleted it would impair this.
  • If such information is needed for the establishment or defence of legal aspects of a claim.

Under the UK GDPR, there are two further reasons why the right to be forgotten doesn’t apply:

  1. If the processing of the data is necessary for the public’s interest and for public health professional secrecy purposes. For example, this could relate to any cross-border threats to health and in order to ensure the quality of medicinal products and devices.
  2. If it’s necessary to process the data for preventative or occupational medicine or under certain circumstances for the provision of health or social care in the public interest.

Are there any other reasons that a Right to be Forgotten can be refused?

As long as one of the exemptions applies, then the request can be refused. However, the exemptions work in different ways depending on the request. It is also possible to refuse a request if it’s excessive or manifestly unfounded.

This must be able to be demonstrated to the person requesting erasure. All the versions of GDPR include this proviso and point out that to be considered ‘manifestly unfounded’ then the following must apply:

  1. The data subject transparently has no intention to actually exercise the right to be forgotten. An example of this would be if a request is made based on the person’s online reputation, but they then offer to withdraw the request in return for something.
  2. The request is considered by the advisory council to be malicious in intent and has only been submitted to disrupt or harass the organisation that is holding the data.

However, this needs to be carefully considered and the task carried out to ensure the request is manifestly unfounded. It must be demonstrated and explainable.

The data subject who has requested data erasure must be informed without undue delay and certainly within a month. They must be clearly informed of the reasonable steps that were taken to reach this decision and the reasons why. They should also be informed that they have the right to complain to a supervisory authority.

Requests can be made either verbally, in person, or in writing and do not have to follow a specific format or include any specific words.

For more information on the right to be forgotten and how to remove unlawfully processed data from a search engine, Google search results or elsewhere and for a breakdown of the reasonable fee structure involved, contact the Igniyte team here.