The General Data Protection Regulation (GDPR) applies from May 2018 and when that happens it gives EU citizens the ‘right to erasure’, also commonly referred to as the ‘right to be forgotten’.
The ‘right to be forgotten’ generally relates to online search results that are in the public domain but it also extends to individuals having the right to request that some or all of the data stored about them is removed.
Where an individual wants to view all of the information stored about them they may make a ‘subject access request’.
Extension of rights
The GDPR has expanded and developed this ‘right to erasure’ to include all data held by any organisation, whether the information is publicly available or not.
Under the GDPR any EU citizen has a right to have personal information deleted in full or partially removed when…
- data is no longer necessary in relation to the purpose for which it was originally collected
- consent is withdrawn and there are no legal or other overriding legitimate interest to store the data
- Consent was never given and the data was / is being illegally processed
- personal data is processed in relation to the offer of information society services to a child
Before the GDPR came into play things were the wrong way around and it was down to individuals (data subjects) to prove they had the right for their data to be deleted.
Now, it’s the responsibility of the ‘data controller’, the organisation, to prove that they have a legal basis for storing the data and if they cannot do that then the data must be destroyed.
Dealing with requests
The GDPR states that data controllers must communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.”
Where an EU citizen wants to exercise one of their rights the ‘data controller’ has to comply “without undue delay” or at most within a month of the request.
If there is a high number of requests the data controller may ask for an extension “where necessary” and if the data controller opts not to grant the request, it must explain its decision to the data subject within one month.
Crucially, all of these services must be free of charge and any organisation which hasn’t already started to put in place contingencies for requests by customers they hold data on could be in for significant challenges in providing these services.
Grounds for refusal
The GDPR states that ‘data controllers’ must comply with requests by ‘data subjects’ to be processed “without undue delay” or at most within a month of the request.
The right to erasure is not absolute however, and there are some very important exceptions to this rule that data controllers need to be aware of, both from an operational and legal perspective.
A data controller can refuse to comply with a request for erasure where the personal data is necessary:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation for the performance of a public interest task or exercise of official authority
- for public health purposes or when it is in the public interest
- for archiving purposes which are in the public interest, such as scientific research, historical research or statistical purposes
- when the data is necessary for the exercise or defence of legal claims
It is important to remember that, under the GDPR, it is data controllers and not data subjects that must prove that they have a legal basis for retaining control of or access to the ‘data subjects’ data, and they have to communicate why they are refusing to do so to the individual who made the request.