This website use cookies Accept

Subscribe to our exclusive weekly newsletter

Join our mailing list and receive every week our news and tips into your mailbox!

The Right to be Forgotten

The upcoming implementation of the European Union's General Data Protection Regulation has businesses all over the world rushing to fulfil the compliance requirements. The regulation covers pretty much anything to do with data security and data protection, information security and secure data management.

Right to be forgotten GDPR

September 22, 2017

“The Right to be Forgotten” – known as “The Right to Erasure” in the legislation – gives data subjects the mandate of requesting erasure of personal information, removing it from data controllers and processors – as outlined in Article 17 of GDPR:

“The right to obtain from the data controller the erasure of personal data concerning him… without undue delay”

There are various circumstances under which data subjects may request to be forgotten, for their stored information to be erased:

  • When the data subject withdraws their content.
  • When the storage of the personal data is no longer necessary for the reason it was collected.
  • When the personal data was not processed in a lawful way.
  • When a legal obligation requires that the personal data be erased.
  • When there is no longer legitimate reason for the processing of the data and the data subject objects to the processing.
  • When the data subject was a child at the time of collecting the data.

However, the legislation also outlines a number of circumstances under which the right o erasure may be refused:

  • To exercise the right of freedom of expression and information
  • For complying with a legal obligation which requires processing by Union or Member State law.
  • For public health reasons in the public interest
  • For archiving purposes in the public interest, scientific, statistical or historical research purposes.
  • For the establishment, exercise or defence of legal claims

Restriction of processing

The GDPR also includes provisions that partially restrict data processing, so data subjects don’t need to later request the deletion of their data. These restrictions apply to certain types of data, under the blanket term “restricted data” – data that may only be stored and not processed – unless the data subject consents to the data’s processing or if the processing is necessary for legal claims or for the protection of rights other people.

But when does regular data become restricted data?

  • If the data subject contests the accuracy of the personal data, to allow time for the controller ma verify the accuracy of the personal data.
  • If the data subject requests restricted use of their data and the processing of the data is unlawful.
  • If the data controller no lo longer requires the personal data for processing, but the data is required by the data subject for legal reasons.
  • If the data subject objects to the data processing pin relation to Article 21.1

[democracy id=”3″]

Quick response

If a data subject chooses to exercise their right to be forgotten, the GDPR obliges the organisation in question to react quickly. Organisations are allowed leeway on this issue if there is a legitimate reason to not adhere to the data subjects’ request immediately – if the data needs to be kept for research or legal purposes or due to a freedom of expression issue.

Third party controllers

While the GDPR obviously requires data controllers within organisations to fulfil higher standards of controlling personal data, the law also puts in their hands the responsibility of removing personal data from third party organisations.

ABOUT EUREKA

Eureka means “I found it!” and was the phrase that exclaimed Archimedes after discovering that the volume of water that ascends is equal to the volume of the submerged body. It is about problem solving, learning, and discovery. So that is precisely the purpose of this website: to understand, to learn. A tribute to our ancient history. From Europe to the world.