Article 17 of the GDPR (General Data Protection Regulation) plays a distinctive yet essential role in data protection law.
It enshrines “the right to erasure” (sometimes referred to as “the right to be forgotten”), which allows people to request that an organisation deletes any personal data related to them.
There are several reasons why someone might make such a request, and in almost all instances, the organisation must comply.
Failure to fulfil this requirement is considered a serious breach and could be penalised under the GDPR’s upper tier of fines of €20 million (£17.5 million under the UK GDPR) or 4% of the organisation’s annual global turnover.
What is the right to erasure?
The right to erasure states that individuals can force an organisation to remove any personal data processed about them.
It’s one of eight data subject rights enshrined in the GDPR, alongside the likes of the right to restrict processing and the right object, and they are each designed to give individuals greater control over the way their personal data is used.
These rights can be exercised by first submitting a DSAR (data subject access request). This process requires the organisation to provide copies of any personal data that it holds on the individual, as well as supporting information.
For instance, the organisation must have a documented lawful basis for processing that information, and it must state whether it has shared – or is planning to share – the information with any third parties.
If the individual is unhappy with any of the details provided in this access request, they can exercise one of their data subject rights, including the right to erasure.
When does the right to erasure apply?
The right to erasure can be exercised when:
- The organisation no longer needs the data for the purpose for which it was originally collected;
- The individual withdraws consent;
- The individual objects to the processing, and the organisation has no overriding legitimate interest in the data;
- The controller or processor collected the data unlawfully;
- The data must be erased to comply with a legal obligation; or
- The data was processed in relation to the offer of information society services to a child.
When can you refuse an erasure request?
Organisations can refuse to comply with a request for erasure if:
- The processing is protected by the right to freedom of expression;
- Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- The data is for health purposes in the public interest;
- The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
- The processing is necessary to exercise or defend legal claims.
Can you charge a fee?
In most instances, you cannot charge a fee to respond to the right to erasure. However, you are permitted to charge a “reasonable fee” for the administrative costs if the request is manifestly unfounded or excessive.
A request is deemed unfounded if the individual has not provided a clear reason why they are exercising their right. Meanwhile it is excessive if the same person has recently submitted multiple requests.
How long do you have to comply?
Organisations must respond to a request for erasure within at least one month, whether that’s to confirm that the information has been deleted or explain that you have refused their request.
The time limit to respond starts on receipt of the request, or upon any further information that’s needed to complete the task. For instance, you might need to confirm the requester’s identity or if you are charging a fee, you can wait until you have received payment.
The time limit for responding begins when the request is received or when any additional information needed to fulfil the request is obtained. For example, if you need to verify the identity of the requester, or if you are charging a fee, you can wait until you receive the information or payment before beginning to process the request.
GDPR compliance support with IT Governance
As we’ve explained in this blog, fulfilling the right to erasure can be a complex process. It’s therefore necessary that you have the right documentation to manage the process.
This is where IT Governance can help. Our GDPR Documentation Toolkit is an essential resource for organisations looking to simplify and accelerate their data protection compliance project.
It contains templates for all the GDPR’s policies, including our Data Subjects Rights Procedure, which covers everything you need to meet the right to erasure.
Written by lawyers and expert practitioners, it’s the most comprehensive toolkit on the market. It’s used by 3,000 organisations worldwide, so you can be confident in its ability to help you demonstrate compliance while reducing your implementation costs.
Get started today and take the first step towards a more streamlined and efficient GDPR implementation.