In 2009, a convicted German murderer applied to court for an order that Wikipedia remove reference to his conviction from its website. Five years later, a Spanish ex-bankrupt sought a court order requiring Google to remove reference to the case from its search results. These were the pre-cursors to the rights now enshrined in the GDPR, known formally as the right to erasure.
Definition under the GDPR
An individual has the right to require a data controller to erase personal data concerning them without undue delay where one of the following applies:
- the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed;
- the data controller was relying on the individual’s consent in order to process the personal data, and the individual has since withdrawn that consent;
- the data controller was relying on legitimate interests in order to process the personal data, and the individual objects to the processing of the personal data, and the data controller has no overriding legitimate interest in continuing the processing
- the data controller was processing the personal data for direct marketing purposes and the individual objects to that processing;
- the personal data is being unlawfully processed;
- the personal data should be deleted to comply with any applicable law;
- the data controller has processed the personal data to offer information society services (ISS) to a child.
What does the GDPR definition really mean?
It is not an unrestricted right to be forgotten, as it is exercisable only in limited circumstances. But if one of those circumstances apply, then the data controller is required (free-of-charge) to delete that personal data from its systems.
And where the data controller has made that personal data available to third parties, then the data controller must take reasonable steps to ensure those third parties also erase that personal data.
The individual does not have the right to be forgotten where:
- their personal data is being processed in accordance with a legal obligation
- the data controller is exercising its right to freedom of expression
- the processing is in performance of a task carried out in the public interest or in the exercise of an official authority
- the processing is in relation to legal proceedings
- the personal data is simply being archived for scientific, statistical or research purposes in the public interest and erasure would impair the achievement of that processing.
The GDPR also provides to additional exemptions in relation to special category data. The right to be forgotten will not apply where the processing of special category data is necessary:
- for public health purposes in the public interest;
- for the purposes of preventative or occupational medicines.
This second exemption only applies where data is being processed by a health professional under a legal obligation of secrecy.
What effect has this had on UK businesses?
This part of the GDPR attracted considerable media coverage, and businesses expected to see an upshot in the number of requests ‘to be forgotten’. Once again, businesses should ensure their data protection policy sets out a process for dealing with any requests.
Businesses need to keep a record of where personal data is disclosed, otherwise they will be unable to comply with the obligation.
Due to the limited circumstances in which a business must comply with a request, it is unlikely to have any material impact in the long run – any data that needs to be destroyed is unlikely to be business-critical.
What should my business be doing?
It is important to ensure your business’s data protection policy sets out a comprehensive procedure for dealing with any requests. In addition, you should also retain detailed records of where any personal data is disclosed to third parties. This will help you in complying with any requests for erasure.
You should, upon receipt of a request, first identify whether any of eligibility requirements apply. If they do not, then you can inform the individual why you will not be deleting their personal data.
But if one of them does apply, then you next consider whether any of the available exemptions applies. If they do, again, you can inform the individual why you will not be deleting their personal data.
And if one of the circumstances does apply, but none of the exemptions do, then you are required to delete all the relevant personal data, and take reasonable steps to ensure that any third party to whom you’ve disclosed that data also deletes it (hence the need to keep records when you disclose data to third parties). And then tell the individual what you’ve done.
So if I receive a request from somebody asking me to delete their personal data, I don’t necessarily have to do it?
No, not necessarily. First, consider whether any of the grounds in Article 17(1)(a) of the GDPR apply. If they don’t, then you don’t have to delete the data. Secondly, consider whether any of the exemptions in Article 17(3) of the GDPR apply. If they do, again, you don’t have to delete the data.
What if somebody asks me to delete personal data relating to somebody else?
The right only applies where a person asks for deletion of personal data concerning them, not where the data relates to anyone else.
How quickly do I need to act – do I have a month to reply?
No, you must respond ‘without undue delay’. There is no longstop date.
I’ve received a request from a data subject, but I’ve disclosed their details to dozens of other companies. What do I need to do?
Assuming you’ve been through the process and confirmed that they do have the right of erasure, then you delete the personal data from your own systems, and take reasonable steps to inform all those other companies that the subject is exercising their right. You are entitled to consider the technical complexities and cost of liaising with those other companies but, ultimately, you must do everything you reasonably can to ask them to delete the individual’s personal data ‘without undue delay’.
But I don’t have a record of which companies I’ve disclosed the individual’s data to…?
That’s potentially a problem. Under other sections of the GDPR, the individual is entitled to be told to whom you’ve disclosed their personal data (or, at the very least, the categories of companies to which you’ve disclosed their personal data). It is essential that you keep written records of all outgoing disclosures of personal data from this point forward.
I’m involved in a bitter divorce battle – can I ask my partner’s solicitors to delete any personal data they have about me?
No, because none of the grounds in Article 17(1) of the GDPR will apply, so you cannot exercise the right in those circumstances.
- Data controller means the person/business who determines the purposes for which personal data will be processed, and the manner in which it will be processed.
- GDPR means the General Data Protection Regulation, the EU law that effectively replaced the Data Protection Act 1998.
- Personal data means any data from which a living person can be identified.
- Process means to do just about anything with personal data, e.g. collecting, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, erasing, destroying or otherwise making the data available to somebody else.
This briefing does not amount to legal advice and is provided for information purposes only. It should not be regarded as a substitute for taking up-to-date legal advice.