Something that’s drawn a lot of attention in the lead up to the General Data Protection Regulation (GDPR) compliance deadline is “the right to erasure”, also known as the “right to be forgotten”. The new data subject right allows, in certain circumstances, individuals to request that all information held about them is permanently erased.
Although your organisation will not always have to comply with an erasure request, you must if:
- The personal data is no longer necessary for the purpose you originally collected or processed it for;
- You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- You are processing the personal data for direct marketing purposes and the individual objects to that processing;
- You have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the first principle);
- You have to do it to comply with a legal obligation; or
- You have processed the personal data to offer information society services to a child.
The right to erasure doesn’t apply if processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation;
- For the performance of a task carried out in the public interest or in the exercise of official authority;
- For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- For the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- If the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of healthcare and of medicinal products or medical devices); or
- If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
The GDPR requests that you give extra weight to an erasure request if it comes from a child, or from someone who was a child when the data was originally processed. Children have enhanced rights under the GDPR, and a child may not have been fully aware of the risks (especially online) involved in the processing.
You may need to let other organisations know if you receive an erasure request. If you have disclosed the data to third parties or the data has been made public, the erasure request extends to these and you will need to let the relevant organisations know to erase the data.
Like any other data subject request, you’ll need to respond within one month of receiving the request.
Our EU GDPR Documentation Toolkit will help you ensure your data subject access request and other procedures are up to date and GDPR-compliant. You’ll receive a complete set of documentation templates that are easy to use, customisable and GDPR-compliant.