Right to be forgotten | GDPR right to erasure for individuals

Information on the GDPR right to be forgotten for individuals,  also known as the right to erasure.

Right To Be Forgotten

What is the right to be forgotten?

The right to be forgotten comes under GDPR Article 17. Also known as the right to erasure, it means that people have the right to demand their personal data is erased. However, it only applies in certain circumstances and is not absolute.

Right to be forgotten – when does it apply?

People have the right to be forgotten if:

  1. Their personal data is no longer being used for the purpose originally given by the controller.
  2. The controller is using consent as the lawful basis for keeping the data and the consent is withdrawn by the individual.
  3. The controller is using legitimate interests as the basis for data processing and the individual objects to the processing and there is no overriding legitimate interest that the collector can use to continue.
  4. The controller or processor is using the personal data for direct marketing and the individual objects to this specific processing.
  5. The data has been processed in breach of the first GDPR principle of lawfulness.
  6. The controller must do so in order to comply with a legal duty.

How does the right to be forgotten work with data collected from children?

The GDPR emphasises the right to be forgotten and to have personal data erased if the individual’s request concerns data collected from children.

This is due to the GDPR’s enhanced provision for the protection of children’s information, particularly online.

This means that any company processing data collected from children must give sufficient weight to any erasure request if the data processing is based on consent given by a child. This remains the case even when the individual is no longer considered a child, because they may not have understood the risks involved at the time of consent when they were a child.

Informing other organisations about personal data erasure

There are two circumstances when the company must inform other organisations that personal data needs erasing. These are when the personal data has been given to others, or it has been made public online. The latter could mean social media, websites or forums.

If personal data has been disclosed to others, then the controller must contact them individually to tell them about the erasure. Where personal data is public online, every reasonable effort must be made to tell other controllers who are processing personal data to erase replication, copies or links to that data. Reasonable steps should be considered against the cost of doing so and the technology available.

If the right to be forgotten request is valid, then every effort must be made to erase the data from live systems and backup systems. The company must inform the individual of exactly what is happening to their data when the request is fulfilled.

When does the right to be forgotten not apply?

Data erasure doesn’t apply if it’s determined that processing is necessary in order to do the following:

  1. To exercise the right of freedom of information and freedom of expression.
  2. To comply with a legally mandated obligation.
  3. To perform a task that is for an official authority or for the wider public interest.
  4. When data must be archived in the public interest, for scientific or historical research or where it’s removal would seriously impair a project.
  5. To establish, defend or exercise legal claims.

When does the right to be forgotten not apply to special category data?

The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:

  1. If the data processing is deemed necessary for public health purposes. For example, this could mean protecting against threats to health or ensuring high quality standards for medicinal products.
  2. If the data processing is deemed necessary for occupational or preventative medicine, for medical diagnoses, for the provision of social or health care or for the management of social or health care services.

When can requests for exemption be refused?

It’s possible to refuse a request to have data erased if an exemption applies. Not every exemption applies in the same way. The data collector must examine each exemption and consider if it’s applicable to a request.

Companies can also refuse a request to be forgotten if it is excessive or manifestly unfounded. Each request for erasure must be considered independently. There cannot be a blanket policy regarding this, as it must be concluded on a case by case basis.

The company must also be able to explain exactly why the request is considered excessive or manifestly unfounded to the individual. This can be escalated to the Information Commissioner, to whom you must also demonstrate why the request is refused.

Manifestly unfounded means:

  • If the erasure request is malicious and is being used to harass a company just to cause disruption.
  • If the individual is making the request but has no intention of exercising their actual right to be forgotten but are trying to get something out of it.
  • If the individual has stated either in the request or other forms of communication that they will cause disruption.
  • If the request for data erasure targets an employee they have a grudge against.
  • If the request makes unsubstantiated accusations against the controller or an employee.

The onus is on the controller to demonstrate that the request is manifestly unfounded.

Excessive means:

  • Too many requests are made using the same language.
  • The request repeats other previous requests.
  • The request overlaps with others.

This depends on individual circumstances and does not necessarily mean it will be considered excessive just because the individual makes a request about the same issue. There may be legitimate reasons for this.

If the request is considered to excessive or manifestly unfounded then the individual must be informed within a month of the request. Explain why the data will not be erased and that they have the right to complain to an advisory authority.

If the request is complex, then the controller company can extend the response time by another two months.