Explaining the right to be forgotten under UK GDPR (2023)
GDPReu.org explain what qualifies for a valid request for the right to be forgotten or the right to erasure as part of the UK version of the GDPR.
While the Right to be Forgotten initially formed part of the EU’s landmark legislative changes in the 2018 General Data Protection Regulation (GDPR), you may be wondering how Brexit has impacted this.
In short, yes. Based on the European data protection law, the UK GDPR also contains the right for individual data to be forgotten.
Also called the right to erasure, the Right to be Forgotten is not, however, absolute. In order to erase personal data, certain criteria must be met. Let’s break it down further.
The Right to be Forgotten exists under Article 17 of the UK GDPR, which is heavily based on the legislation created by the European Union.
The right for the data subject to make a right-to-be-forgotten request only applies to data that is held at the exact same time that the request is made. Furthermore, this is not a guaranteed right to have personal data erased and only applies under specific circumstances.
Internet users and individuals can exercise the Right to be Forgotten if the following criteria are met (this is based on EU law but since Brexit is now UK law).
Legal claims and a valid verbal request to erase data, where the data subjects are children, have even more emphasis under this data privacy law.
If data is collected from children for processing purposes, then the holder of the data must comply with any request for erasure under the data protection directive. This continues to be the case when the child grows up, as it’s assumed they couldn’t have initially been aware of the risks when underage.
There is a lot of detail about the right to be forgotten. children’s privacy and data protection rules on the website of the UK data protection authority, ICO.
Even a valid request for data to be erased does not apply under the UK GDPR for the following reasons:
Under the UK GDPR, there are two further reasons why the right to be forgotten doesn’t apply:
As long as one of the exemptions applies, then the request can be refused. However, the exemptions work in different ways depending on the request. It is also possible to refuse a request if it’s excessive or manifestly unfounded.
This must be able to be demonstrated to the person requesting erasure. All the versions of GDPR include this proviso and point out that to be considered ‘manifestly unfounded’ then the following must apply:
However, this needs to be carefully considered and the task carried out to ensure the request is manifestly unfounded. It must be demonstrated and explainable.
The data subject who has requested data erasure must be informed without undue delay and certainly within a month. They must be clearly informed of the reasonable steps that were taken to reach this decision and the reasons why. They should also be informed that they have the right to complain to a supervisory authority.
Requests can be made either verbally, in person, or in writing and do not have to follow a specific format or include any specific words.
For more information on the right to be forgotten and how to remove unlawfully processed data from a search engine, Google search results or elsewhere and for a breakdown of the reasonable fee structure involved, contact the Igniyte team here.