Understanding the 'Right to Be Forgotten' and How to Implement It

The right to erasure (Article 17) allows an individual to request the deletion of their personal data when there is no compelling reason for its continued processing. This right is not absolute and applies in specific circumstances, such as:

• The data is no longer necessary for the purpose for which it was collected.
• The individual withdraws their consent, and there is no other legal basis for processing.
• The individual objects to the processing, and there are no overriding legitimate grounds to continue.
• The data was unlawfully processed.

It's important to remember that there are exceptions. For example, you may refuse a request if the data is required for a legal obligation, for public health reasons, or for the exercise of a legal claim.

Having a documented procedure is crucial. Follow these steps to prepare your organization:

1. Acknowledge the Request: As soon as you receive a request, you must acknowledge it and respond within one month.
2. Verify the Identity: Take reasonable steps to verify the identity of the person making the request to prevent malicious deletion of data.
3. Assess the Request: Determine if the request falls under one of the valid grounds for erasure and if there are any exceptions that apply.
4. Erase the Data: If the request is valid, securely and permanently delete all personal data. This includes data held by any third-party processors you share it with.
5. Confirm the Erasure: Inform the individual that their data has been deleted and provide a record of the action taken.

Your public-facing privacy policy must clearly outline how users can exercise their right to be forgotten. This includes providing a simple, accessible contact method for them to make a request.

Don't leave user rights to chance. Our free GDPR Policy Checker can confirm if your privacy policy properly outlines the 'right to be forgotten' and other critical user rights, giving you a clear path to compliance.