In London’s Piccadilly Circus, an advertising screen the size of two basketball courts detects the ages, genders and moods of passers-by and responds by displaying targeted ads. The process uses facial-recognition cameras hidden behind the Piccadilly Lights billboards to pick out faces in the crowd and assess which adverts might be of interest.
“The Right to be Forgotten” – known as “The Right to Erasure” in the legislation – gives data subjects the mandate of requesting erasure of personal information, removing it from data controllers and processors – as outlined in Article 17 of GDPR:
“The right to obtain from the data controller the erasure of personal data concerning him… without undue delay”
There are various circumstances under which data subjects may request to be forgotten, for their stored information to be erased:
- When the data subject withdraws their content.
- When the storage of the personal data is no longer necessary for the reason it was collected.
- When the personal data was not processed in a lawful way.
- When a legal obligation requires that the personal data be erased.
- When there is no longer legitimate reason for the processing of the data and the data subject objects to the processing.
- When the data subject was a child at the time of collecting the data.
However, the legislation also outlines a number of circumstances under which the right o erasure may be refused:
- To exercise the right of freedom of expression and information
- For complying with a legal obligation which requires processing by Union or Member State law.
- For public health reasons in the public interest
- For archiving purposes in the public interest, scientific, statistical or historical research purposes.
- For the establishment, exercise or defence of legal claims
Restriction of processing
The GDPR also includes provisions that partially restrict data processing, so data subjects don’t need to later request the deletion of their data. These restrictions apply to certain types of data, under the blanket term “restricted data” – data that may only be stored and not processed – unless the data subject consents to the data’s processing or if the processing is necessary for legal claims or for the protection of rights other people.
But when does regular data become restricted data?
- If the data subject contests the accuracy of the personal data, to allow time for the controller ma verify the accuracy of the personal data.
- If the data subject requests restricted use of their data and the processing of the data is unlawful.
- If the data controller no lo longer requires the personal data for processing, but the data is required by the data subject for legal reasons.
- If the data subject objects to the data processing pin relation to Article 21.1
If a data subject chooses to exercise their right to be forgotten, the GDPR obliges the organisation in question to react quickly. Organisations are allowed leeway on this issue if there is a legitimate reason to not adhere to the data subjects’ request immediately – if the data needs to be kept for research or legal purposes or due to a freedom of expression issue.
Third party controllers
While the GDPR obviously requires data controllers within organisations to fulfil higher standards of controlling personal data, the law also puts in their hands the responsibility of removing personal data from third party organisations.