The General Data Protection Regulation (GDPR) governs and regulates how personal data must be collected, stored, processed, and erased. The “right to be forgotten, generally calls Process Right to Erasure” which contracted a lot of press after the 2014 judgment from the EU Court of Justice, set the precedent for the right of erasure provision contained in the GDPR.
The Right to Erasure
Right to be forgotten also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data. But organizations don’t always have to do it. Here we explain when the right to be forgotten applies and when it doesn’t. The right to be forgotten is much more problematical than an individual simply wishing that an organization erase their personal data.
Right to Erasure is the Right to be Forgotten
The right to be forgotten looks in Narrations 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month. You must also take reasonable steps to verify the person requesting erasure is actually the data subject.
People’s Right to Access
The right to be forgotten amalgamates with people’s right to access their personal information in Article 15. The right to control one’s data is worthless if people cannot take action when they no longer consent to processing when there are significant errors within the data, or if they believe information is being stored needlessly. In these cases, an individual can appeal that the data be erased.
When Does the Right to be Forgotten Apply?
Article 17of the GDPR outlines the specific situations under which the right to be forgotten applies. An individual has the right to have their personal data erased if:
Personal data is no longer necessary for the purpose an organization initially collected or processed it.
An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
- An organization processed an individual’s personal data unlawfully.
- An organization must erase personal data in order to comply with a legal ruling or obligation.
- An organization has processed a child’s personal data to offer their information society services.
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a legal obligation.
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
- The data being processed is necessary for public health purposes and serves in the public interest.
- The data being processed is necessary to perform anticipatory or professional medicine. This only applies when the data is being processed by a health professional that is subject to a legal obligation of professional secrecy.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely impair or pause progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of legal defense or in the exercise of other legal claims.
Right to be Forgotten Request Prototype
The GDPR does not stipulate what a valid request to erasure entails. An individual can make a request for erasure verbally or in writing. This request can also be made to any member of your organization, not just to a selected contact. As long as a request meets the basics above, it is valid, even if it does not refer to “Request for Erasure” the “Right to be forgotten,” Article 17, or the GDPR.
SECTION 1: Details of the person requesting information
Contact telephone number:
SECTION 2: Are you the data subject?
YES: I am the data subject. I enclose proof of my identity (see below). (Please go to Section 4) or,
NO: I am acting on behalf of the data subject. I have enclosed the data subject’s written authority and proof of the data subject’s identity and my own identity (see below). (Please go to Section 3)
To ensure we are erasing data of the right person we require you to provide us with proof of your identity and of your address. Please supply us with a photocopy or scanned image of one or both of the following:
1) Proof of Identity
Passport, photo driver’s license, national identity card, birth certificate.
2) Proof of Address
Utility bill, bank statement, credit card statement (no more than 3 months old); current driver’s license;
If we are not satisfied you are who you claim to be, we reserve the right to refuse to grant your request.
SECTION 3: Details of the data subject (if different from section 1)
Contact telephone number:
SECTION 4: Reason for the erasure request
Given the sensitive nature of erasing personal data, GDPR Article 17(1) requires certain conditions to be met before a request may be considered. Please supply the reason you wish your data to be erased and please attach any justifying documents to this one.
You feel your personal data is no longer necessary for the purposes for which we originally collected it.
You no longer consent to our processing of your personal data.
You object to our processing of your personal data as is your right under Article 21 of the GDPR.
You feel your personal data has been unlawfully processed.
You feel we are subject to a legal obligation of the EU or Member State that requires the erasure of your personal data.
You are a child, you represent a child, or you were a child at the time of the data processing and you feel your personal data was used to offer you information society services.
SECTION 5: What information do you wish to erase or delete?
Describe the information you wish to erase. Provide any relevant details you think will help us to identify the information. Providing the URL for each link you wish to be removed would be helpful.
SECTION 6: Declaration
Please note that any attempt to mislead may result in prosecution.
I confirm that I have read and understood the terms of this subject access form and certify that the information given in this application to ______________ is true. I understand that it is necessary for ________________ to confirm my/the data subject’s identity and it may be necessary to obtain more detailed information in order to locate the correct personal data.
Signed: ………………………………………… Date: ……………..
Documents that must accompany this application:
Evidence of your identity
Evidence of the data subject’s identity
Authorization from the data subject to act on their behalf (if applicable)
Justification for the erasure of data