Blog Detail

The Right to Erasure

What is the right to erasure?

Also known as the right to be forgotten, the underlying principle is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

When does the right to erasure apply?

The right to erasure is not an absolute right. Data subjects have the right for their personal data to be erased and/or to prevent further processing of their personal data in specific circumstances:

(i) where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;

(ii) when the individual withdraws consent (to the extent that consent was the processing condition under which the data was processed);

(iii) when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;

(iv) the personal data was unlawfully processed;

(v) the personal data has to be erased in order to comply with a legal obligation such as the order of a court;

(vi) the personal data is processed in relation to the provision of online services to a child;

Under the GDPR, this right is broader than simply applying to processing that is likely to cause damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

When can a controller or processor refuse to comply with a request for erasure?

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

(i) to exercise the right of freedom of expression and information;

(ii) to comply with a legal obligation for the performance of a public interest task or exercise of official authority;

(iii) for public health purposes in the public interest;

(iv) for archiving purposes in the public interest, scientific research historical research or statistical purposes; or

(v) in the exercise or defence of legal claims.

How does an erasure request apply to organisations to whom I have disclosed the personal data?

If you have disclosed the personal data in question to third parties, you must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging, if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements.