Right to be Forgotten

Often after a request for access and/or after a data breach, a data subject may decide that they no longer wish that a particular organization processes their personal data. The data subject can then ask the organization to delete his or her personal data. The person concerned also has the right to be forgotten if they do not want to be haunted by their past. As an organization, you must grant the request under certain circumstances. You then have one month to respond and comply with the request. Extensions are possible in cases of complicated and complex requests, such as an access request.

Like the right of access, there is no standard way of making this request. Data subjects may make a request of erasure verbally or in writing. It is recommended that you have a clear policy in place for such requests and keep a log of the verbal requests to keep track of them and their deadlines.

In this section, we will discuss the right to erasure after the right of access and/or after a data breach. ZyLAB ONE can help your organization comply with all these various obligations.

Grounds for Erasure

According to Article 17 of the GDPR, an organization may face the right to erasure after an access request. The right to erasure means that data subjects have a right to request an organization erase their personal data if there is a ground for this request. This right is not absolute and only applies under certain conditions. Some of these cases are:

  • When you have processed personal data unlawfully, think of a data subject’s personal data under the age of 16 obtained via an app or website.
  • If you are legally obliged to delete personal data, think of a legal retention period that expires after a specific time.
  • When the personal data is no longer needed, given the processing purposes, the data is no longer required and can be deleted once the processing purposes have been achieved.
  • When the data subject withdraws his or her consent, think of a data subject who withdraws his or her permission to publish their data on your website or social media account. According to Article 6(1)(a) of the GDPR, an organization must delete the information if it cannot use another processing basis or ground for an exception.
  • When the data subject objects and you do not have any interests that outweigh their specific interests, some examples of interests that are necessary to process personal data are: humanitarian purposes, monitoring an epidemic and its spread, or humanitarian emergencies, such as natural or human-made disasters.
  • When you process them for direct marketing purposes, think of digital direct marketing, telemarketing, or advertising mail.
  • When you have collected the data in the targeted provision of internet services, consider personal data connected with a direct offer of internet services to a child.

The controller is obliged to erase the data subject’s personal data where the organization has made the personal data public (for example, putting it online on a website or social media account), which must be deleted based on a removal request from the data subject. In addition to erasing the data from your system, you must, within reasonable limits, take technical and organizational measures to notify other controllers processing the personal data that the data subject wishes to remove. The result is that controllers from other organizations must delete any link to copy of the data.

Exceptions

There are of course exceptions where the erasure request and the request to be forgotten do not apply, namely:

  • When the processing is necessary for exercising the right to freedom of expression and information, an organization must balance the interest of the data subject who made the request and the interest in exercising the freedom of information. For example, a data subject cannot always summon a newspaper to have a harmful article removed, if this falls under freedom of expression and information.
  • If you must comply with a legal obligation, perform a task in the public interest or exercise public authority. An example is when an official working for the tax authorities processes data based on the law.
  • When you process data for reasons of public interest in the area of public health, for example, you can think of data required in connection with the purposes of preventive or occupational medicine, medical diagnoses, or the assessment of the employee's fitness for work.
  • When you process the data for archiving, and scientific or statistical research, archive files that are kept in archival repositories are often consulted in the context of scientific research.
  • When you process data connected with a lawsuit, this does not require compliance with a deletion request if the data to which the request relates is necessary for the establishment, exercise, or defense of a legal claim. An example is a list of personal data used as evidence in a procedure between the controller, the municipality, and applicants.