Right to be forgotten | GDPR right to erasure for individuals
Information on the GDPR right to be forgotten for individuals, also known as the right to erasure.
The right to be forgotten comes under GDPR Article 17. Also known as the right to erasure, it means that people have the right to demand their personal data is erased. However, it only applies in certain circumstances and is not absolute.
People have the right to be forgotten if:
The GDPR emphasises the right to be forgotten and to have personal data erased if the individual’s request concerns data collected from children.
This is due to the GDPR’s enhanced provision for the protection of children’s information, particularly online.
This means that any company processing data collected from children must give sufficient weight to any erasure request if the data processing is based on consent given by a child. This remains the case even when the individual is no longer considered a child, because they may not have understood the risks involved at the time of consent when they were a child.
There are two circumstances when the company must inform other organisations that personal data needs erasing. These are when the personal data has been given to others, or it has been made public online. The latter could mean social media, websites or forums.
If personal data has been disclosed to others, then the controller must contact them individually to tell them about the erasure. Where personal data is public online, every reasonable effort must be made to tell other controllers who are processing personal data to erase replication, copies or links to that data. Reasonable steps should be considered against the cost of doing so and the technology available.
If the right to be forgotten request is valid, then every effort must be made to erase the data from live systems and backup systems. The company must inform the individual of exactly what is happening to their data when the request is fulfilled.
Data erasure doesn’t apply if it’s determined that processing is necessary in order to do the following:
When does the right to be forgotten not apply to special category data?
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
It’s possible to refuse a request to have data erased if an exemption applies. Not every exemption applies in the same way. The data collector must examine each exemption and consider if it’s applicable to a request.
Companies can also refuse a request to be forgotten if it is excessive or manifestly unfounded. Each request for erasure must be considered independently. There cannot be a blanket policy regarding this, as it must be concluded on a case by case basis.
The company must also be able to explain exactly why the request is considered excessive or manifestly unfounded to the individual. This can be escalated to the Information Commissioner, to whom you must also demonstrate why the request is refused.
The onus is on the controller to demonstrate that the request is manifestly unfounded.
This depends on individual circumstances and does not necessarily mean it will be considered excessive just because the individual makes a request about the same issue. There may be legitimate reasons for this.
If the request is considered to excessive or manifestly unfounded then the individual must be informed within a month of the request. Explain why the data will not be erased and that they have the right to complain to an advisory authority.
If the request is complex, then the controller company can extend the response time by another two months.