DATA RISK INTELLIGENCE    |    GDPR       |    WHITEPAPERS

Contact us Today!


The GDPR Right to Erasure (Right to be Forgotten) Under Article 17

 
Article 17 of the GDPR provides the right to erasure, which is more commonly referred to as the right to be forgotten. This right allows EU citizens to withdraw their consent to process their data. It also obligates the controller of data to erase it if the personal data is no longer necessary for the purpose it was collected or if it is discovered that the data has been unlawfully processed.

The right to be forgotten is an important means for privacy-concerned customers to limit their digital footprint, eliminate bad or misleading data, and mitigate their personal risks of data breaches at organizations.

erasingdata

History of the Right to be Forgotten

The right was originally developed by litigation against the search engines for the deletion of older materials still contained in their indexes even though they were no longer newsworthy or accurate. The right was recognized by the European Court of Justice in 2014 and the search engines have subsequently been receiving requests for deletion under its terms. For additional information, read our history of the right to be forgotten.

The Right of Erasure under GDPR

The data subject is entitled to deletion of the personal data held by an organization where:

– the personal data is no longer necessary for the purpose it was collected or processed.

– the data subject has withdrawn consent and there is no other ground for lawful processing.

– the data subject has a valid objection to processing under Article 21(1) or (2).

– the personal data has been unlawfully processed.

– a legal obligation of the controller requires erasure.

– the personal data was collected in the offer of information society services to a child under Article 8(1).

Personal Data Made Public

A controller that has made an individual’s personal data public and receives a valid request to delete it must take reasonable steps, based on available technology and cost, to inform controllers processing the data that there has been a request for erasure of any copies of it or links to the personal data.

The UK ICO has also explained that the GDPR requires other organizations be told about the erasure of personal data if the personal data has been disclosed to them. The ICO guidance is for an organization to contact each recipient and inform them of the erasure request.

Process for Valid Requests

The GDPR does not specify a specific manner by which an individual has to exercise this right. The UK ICO guidance is that an individual can make a request for erasure either verbally or in writing to any part of your organization. They do not need to make the request to a specific person or to include terminology about Article 17 or the right for erasure. They put the onus on the organization to train their employees and properly handle individual requests for erasure in any form that they are made.

Timeframe

Controllers must act upon valid requests for erasure without undue delay. Organizations should have processes in place to ensure that they can delete the personal data of an individual within one month of receiving the request.

Countervailing Duties

The right to erasure is not without limitation. Broadly, there are three categories that exempt an organization that would otherwise need to delete the personal information of a data subject under Article 17 of the GDPR:

Journalism and the Arts: The right to be forgotten does not apply if processing is necessary for the exercising of the right of freedom of expression and information. In other words, the right of erasure does not require limitation of the use of the information for journalistic purposes and the purposes of academic, artistic or literary expression.

Legal Obligations or Legal Claims: The GDPR provides for two exceptions to the right to be forgotten related to legal concerns. Article 17(3)(b) allows organizations to maintain personal data otherwise subject to deletion if a legal obligation set by law requires processing. Article 17(3)(e) also permits the retention of personal information if it is necessary for the establishment, exercise or defense of legal claims. However, it it is possible to comply with the legal obligation or to establish the legal claim or defense and delete the information, then the exception may not be broad enough to apply.

Public Interest Tasks: There are three cases specifically enumerated in the exceptions to Article 17 that cover items related to the public interest. Article 17(3)(b) covers the performance of a task carried out in the public interest, Article 17(3)(c) covers reasons of public health in accordance with Article 9, and Article 17(3)(d) covers Article 89 processing for archiving in the public interest, scientific or historical research purposes, insofar as the right to erasure of the personal data is likely to render achievement of the objectives of that processing impossible or seriously impaired.

Refusals

If an organization is not going to delete an individual’s data, then the ICO has said it should inform the individual about the reasons that deletion will not occur, their right to complaint to the appropriate supervisory authority, and their ability to seek enforcement through the judiciary.

Other Data Subject Access Rights

GDPR Article 15: Right of Access
GDPR Article 16: Right to Rectification
GDPR Article 20: Right to Data Portability

Data Subject Access Rights Software

Looking for a software tool to manage data subject access requests? Consider the Clarip DSAR Portal.

Contact Clarip Today for Help with CCPA and GPDR

The Clarip team and data privacy software are prepared to help your organization improve its privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo or speak to a member of the Clarip team.

If your challenge right now is CCPA compliance for your California operations, allow us to show you our CCPA software. From consent management software to offer the option to opt-out of the sale of personal data, to a powerful DSAR Portal to facilitate the right to access and delete, Clarip offers enterprise privacy management at an affordable price.

If you are preparing your European operations for GDPR compliance, we can help through our modular GDPR software. Whether you are looking to start the process with GDPR data mapping software, increase automation in your privacy program with DPIA software, or handle ePrivacy with a cookie consent manager, Clarip has the privacy platform that you need to bolster your program.

Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.