The GDPR is a European Regulation designed to do what is says on the tin. Protect data. That data being personal data, belonging to you, a citizen of the EU. It puts in place a number of obligations and responsibilities on those deciding how your personal data should be used - the data controllers, and also those with the responsibility of undertaking that processing at the request of those data controllers - the data processors. The GDPR also gives those whose personal data is being processed - the data subjects - a number of rights. Many of these rights we are familiar with as they appeared in the GDPR’s predecessor, the Data Protection Act (which remains in force until the 25th of May this year).
The right we will be focusing on today is that of the Right to Erasure, or Right to be Forgotten as it is often referred to. What effect will this actually have? What rights are data subjects actually being given? In what situations can it be used? And how can it be exercised?
The broad principle underpinning this right is the ability of an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing. However, this is not an absolute right that can be exercised whenever an individual decides that they no longer want their personal data processed. It only comes into play in specific circumstances, as set out below:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When the individual withdraws consent.
- When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Can this right only be exercised when substantial damage or distress has been caused?
No – individuals do not have to have suffered damage or distress to exercise the right, however if the processing does cause damage or distress it will be easier for the individual in question to justify their right for removal of the personal data.
What if I have already disclosed the personal data to a third party?
If the personal information in question has already been disclosed to a third party, it is your responsibility to contact each recipient and inform them of the erasure of personal data (unless this proves impossible or involved disproportionate effort).
If the data subject who has requested the erasure requests, you must also inform them about the recipients.
What if I have already made the personal data public?
The GDPR requires that data controllers who make personal data public online (for example via social networks or websites) should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question. This may not always be possible, if for example the publication of information including the personal data by an organisation is protected by the freedom of expression exemption. The obligation on the controller is to take reasonable steps and account must be taken of available technology and the cost of implementation. However, it is potentially a wide reaching obligation which may be difficult to implement given the potential difficulty in identifying who it needs to notify.
Are the circumstances different if I process children’s personal data?
The GDPR provides extra protection in relation to the processing of children’s information given the sensitivity and nature of it. When consenting to processing, children may not be fully aware of the risks involved in the processing. Particular attention must therefore be given to any situation where a child has given consent to processing and at a later date they request its erasure, even if this request is made once they are an adult.
Can I as a data controller ever refuse to comply with a request for erasure?
Yes – there are a number of situations where you can refuse, including where personal data has been processed for the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- for public health purposes in the public interest;
- archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- the exercise or defence of legal claims.
Organisations should therefore determine if they work in an industry, sector or area where such exemptions may apply or where compliance with erasure requirements would be so unreasonable and unwarranted that additional Member State based exemptions should be sought.
How long do I have to respond to such requests?
Data controllers must respond without undue delay, and always within one month (although this can be extended in difficult cases).
What should I do to prepare for such requests being made?
Organisations should ensure that members of staff and suppliers who may receive data erasure requests are appropriately trained to recognise them and know how to deal with them. This may require them to know who requests should be passed to and how to respond to the individual.