Also known as the “right to erasure,” the GDPR gives individuals the right to ask organisations to delete their personal data. But organisations don’t always have to do it. Here we explain when the right to be forgotten applies and when it doesn’t.
The General Data Protection Regulation (GDPR) governs how personal data must be collected, processed, and erased. The “right to be forgotten,” which received a lot of press after the 2014 judgment from the EU Court of Justice, set the precedent for the right of erasure provision contained in the GDPR. Of course, given competing interests and the hyper-connected nature of the Internet, the right to be forgotten is much more complicated than an individual simply requesting that an organisation erase their personal data. This article takes a closer look at when people can make a right to be forgotten request, the value it adds for EU residents, and how organisations can create a right to be forgotten form to ensure GDPR compliance.
The right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month. You must also take reasonable steps to verify that the person requesting erasure is actually the data subject.
The right to be forgotten dovetails with people’s right to access their personal information in Article 15. The right to control one’s data is meaningless if people cannot take action when they no longer consent to process when there are significant errors within the data, or if they believe information is being stored unnecessarily. In these cases, an individual can request that the data be erased. But this is not an absolute right. If it were, the critics who argue that the right to be forgotten amounts to nothing more than a rewriting of history would be correct. Thus, the GDPR walks a fine line on data erasure.
In Article 17, the GDPR outlines the specific circumstances under which the right to be forgotten applies. An individual has the right to have their personal data erased if:
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
Furthermore, an organisation can request a “reasonable fee” or deny a request to erase personal data if the organisation can justify that the request was unfounded or excessive.
As you can see, there are many variables at play, and each request will have to be evaluated individually. Add to that the technical burden of keeping track of all the places an individual’s personal data is stored or processed, and it is easy to see why the GDPR’s new privacy rights could be a significant compliance burden for some organisations.
The GDPR does not specify what a valid request for erasure entails. An individual can make a request for erasure verbally or in writing. This request can also be made to any member of your organisation, not just to a designated contact. As long as a request meets the conditions above, it is valid, even if it does not refer to “Request for Erasure” the “Right to be Forgotten,” Article 17, or the GDPR.
This can create a challenge for an organisation as an employee could receive a valid verbal request. Below is a sample “Right to Erasure” request form that could help you streamline the process. Note that this is just a template and can be modified to suit your organization’s needs.
Hyperion ensures the best operational structure, competitive pricing structure, proven processes, and guaranteed results with their operational overseers.
We build a team and hierarchy; with well-prepared implementation and alignment. We are aligned to your companies high-quality mission, objectives, and culture.
Hyperion partnerships promise a deliverable-based solution that can hit KPIs, targets, and metrics.
Head office.Romercial Bldg,Angeles, 2009 PampangaPH
PH +63 9199547655UK +44 203575 1566Aust +61 39999 7308USA +1 785 789 5110