In 2009, a convicted German murderer applied to court for an order that Wikipedia remove reference to his conviction from its website. Five years later, a Spanish ex-bankrupt sought a court order requiring Google to remove reference to the case from its search results. These were the pre-cursors to the rights now enshrined in the GDPR, known formally as the right to erasure.
Definition Under the GDPR
An individual has the right to require a data controller to erase personal data concerning them without undue delay where one of the following applies:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed;
- the data controller was relying on the individual’s consent in order to process the personal data, and the individual has since withdrawn that consent;
- the data controller was relying on legitimate interests in order to process the personal data, and the individual objects to the processing of the personal data, and the data controller has no overriding legitimate interest in continuing the processing
- the data controller was processing the personal data for direct marketing purposes and the individual objects to that processing;
- the personal data is being unlawfully processed;
- the personal data should be deleted to comply with any applicable law;
- the data controller has processed the personal data to offer information society services (ISS) to a child.
What Does the GDPR Definition Really Mean?
It is not an unrestricted right to be forgotten, as it is exercisable only in limited circumstances. But if one of those circumstances apply, then the data controller is required (free-of-charge) to delete that personal data from its systems.
And where the data controller has made that personal data available to third parties, then the data controller must take reasonable steps to ensure those third parties also erase that personal data.
The individual does not have the right to be forgotten where:
- their personal data is being processed in accordance with a legal obligation
- the data controller is exercising its right to freedom of expression
- the processing is in performance of a task carried out in the public interest or in the exercise of an official authority
- the processing is in relation to legal proceedings
- the personal data is simply being archived for scientific, statistical or research purposes in the public interest and erasure would impair the achievement of that processing.
The GDPR also provides to additional exemptions in relation to special category data. The right to be forgotten will not apply where the processing of special category data is necessary:
- for public health purposes in the public interest;
- for the purposes of preventative or occupational medicines.
This second exemption only applies where data is being processed by a health professional under a legal obligation of secrecy.
What Effect has this had on UK Businesses?
This part of the GDPR attracted considerable media coverage, and businesses expected to see an upshot in the number of requests ‘to be forgotten’. Once again, businesses should ensure their data protection policy sets out a process for dealing with any requests.
Businesses need to keep a record of where personal data is disclosed, otherwise they will be unable to comply with the obligation.
Due to the limited circumstances in which a business must comply with a request, it is unlikely to have any material impact in the long run – any data that needs to be destroyed is unlikely to be business-critical.
What Should my Business be Doing?
It is important to ensure your business’s data protection policy sets out a comprehensive procedure for dealing with any requests. In addition, you should also retain detailed records of where any personal data is disclosed to third parties. This will help you in complying with any requests for erasure.
You should, upon receipt of a request, first identify whether any of eligibility requirements apply. If they do not, then you can inform the individual why you will not be deleting their personal data.
But if one of them does apply, then you next consider whether any of the available exemptions applies. If they do, again, you can inform the individual why you will not be deleting their personal data.
And if one of the circumstances does apply, but none of the exemptions do, then you are required to delete all the relevant personal data, and take reasonable steps to ensure that any third party to whom you’ve disclosed that data also deletes it (hence the need to keep records when you disclose data to third parties). And then tell the individual what you’ve done.