Understanding the Right to Be Forgotten (Right to Erasure) under GDPR

The Right to Erasure, as defined in Article 17 of the GDPR, grants data subjects the right to have their personal data erased without undue delay. This means that if an individual requests it, a company that is acting as the data controller must delete their personal information from its systems and instruct any third parties who have received the data to do the same.

This right is a core component of the GDPR's goal to give individuals greater control over their data. It is a powerful tool that allows people to correct past mistakes or simply to prevent their information from being used in ways they no longer consent to.

An individual has the right to have their personal data erased if one of the following grounds applies:

• The data is no longer necessary: The personal data is no longer needed for the purpose for which it was originally collected or processed.
• Withdrawal of consent: The individual withdraws their consent to the processing of their data, and there is no other legal basis for the processing.
• Objection to processing: The individual objects to the processing of their data, and there are no overriding legitimate grounds for the processing.
• Unlawful processing: The personal data has been unlawfully processed.
• Legal obligation: The data has to be erased for compliance with a legal obligation in EU or Member State law.
• Child’s data: The personal data was collected in relation to the offer of information society services (e.g., social media) to a child.

The Right to Be Forgotten is not absolute. There are several circumstances where a data controller can refuse an erasure request, even if one of the above grounds applies. The right does not apply when the processing of the data is necessary for:

• Exercising freedom of expression and information: For example, when a journalist is using the data as part of a news article.
• Compliance with a legal obligation: If the data must be kept to comply with national or EU law.
• Public interest tasks: The data is necessary for a task carried out in the public interest or in the exercise of official authority.
• Public health: The data is necessary for reasons of public interest in the area of public health.
• Archiving and research: The data is needed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
• Legal claims: The data is necessary for the establishment, exercise, or defense of legal claims.

When a data subject makes an erasure request, your business must have a clear process to follow. Here are the key steps:

1. Verify the Request

First, verify the identity of the person making the request to ensure they are the data subject. You must also confirm that one of the grounds for erasure applies and that there are no exceptions that would allow you to refuse the request.

2. Respond Promptly

You must respond to the request without undue delay and at the latest within one month of receiving it. If the request is complex, you can extend this period by a further two months, but you must inform the individual within the initial month and explain the reason for the delay.

3. Erase the Data

If the request is valid, you must erase the personal data and confirm that this has been done. If you have made the data public, you must also take reasonable steps to inform other controllers who are processing the data to erase it.

4. Maintain Records

Even after erasing the data, you should keep a record of the request and the action you took. This is crucial for demonstrating your accountability under GDPR.

By understanding and correctly implementing the Right to Be Forgotten, your business can not only avoid fines but also build a reputation as a trustworthy and privacy-conscious organization.