There is a vast range of information readily available online. While this is usually beneficial for a number of reasons, it can become an issue where it involves personal data.
Personal data is usually information that can be used to identify someone. So, this could include emails and phone numbers.
In the EU, individuals are afforded the right to be forgotten. This means they can request for their personal data to be removed or taken down by certain organisations. So, how is this all possible?
The General Data Protection Regulation (GDPR) in the EU regulates data privacy and how personal data is collected. In this article, we’ll go through what the GDPR says about the right to be forgotten, and other important privacy matters that businesses need to be aware of.
What Is The Right To Be Forgotten?
The right to be forgotten is essentially the right to have your personal data removed from a certain place. In other words, people have the right to contact a party that is holding their personal data and to ask them to erase it.
This is covered specifically under Article 17 of the General Data Protection Regulation (GDPR). It also outlines that the erasure should not have ‘undue delay’, which is about a month.
This goes hand in hand with an individual’s right to access their personal information, which can be found in Article 15 of the GDPR.
The right to be forgotten usually applies when:
- The personal data is no longer necessary for the organisation’s original purpose for collection
- The person withdraws their prior consent to having their data processed
- A pre-existing legitimate interest no longer justifies the processing of data
- An individual objects to processing their data for marketing purposes
- The data was processed unlawfully
- The removal of data is required by law
- A child’s personal data has been processed for information society services
Limits To The Right To Be Forgotten
While the GDPR provides a right to be forgotten, in some cases, an organisation may have a right to process someone’s data which overpowers article 17.
This may arise where the organisation:
- Is using the data to exercise the right to freedom of expression
- Is using the data for the purpose of legal compliance
- Is using the data for public interest
- Is using the data for public health purposes
There are a number of other reasons which could override the right to be forgotten under the GDPR – you can read more here.
Do I Need To Tell Other People About The Removal Of Personal Data?
There are two instances under which you would need to tell other people about the removal of personal data as requested by an individual:
- Where the data has been disclosed to someone else or an organisation
- Where the personal data has been made public or published online
Can I Refuse To Remove Personal Data?
If someone requests for their personal data to be removed or taken down online, you can actually say no in certain circumstances.
For example, you can refuse to remove personal data upon request if the request is excessive, or there are no sufficient grounds to make that request. However, it’s important that you explain to the person how it is “excessive”, and disclose this justification to the Information Commissioner.
It’s worth reading more into the grounds upon which you can refuse to remove someone’s data under the right to be forgotten.
The right to be forgotten is only a tiny fragment of the range of privacy matters that the GDPR covers in the EU.
If your business needs some legal advice or help sorting out privacy obligations in the EU, our privacy lawyers are happy to chat with you.
If you would like a consultation on your options going forward, you can reach us at 08081347754 or [email protected] for a free, no-obligations chat.
Get a free, fixed-fee quote.
We'll get back to you within 1 business day.