What is meant by “The Right to be Forgotten” under GDPR?

The right to be forgotten is one of the key innovations of GDPR, but it’s not exactly a new right, nor is it absolute. It developed in European law in the aftermath of an important court case known as the Google vs Spain ruling. In 2010, a Spanish citizen complained about an outdated court order against him appearing on Google search results. The European Court of Justice agreed this infringed on his right to privacy and ruled that individuals have the right, under certain conditions, to ask search engines to remove links with personal information about them where the information is inaccurate, inadequate, irrelevant or excessive.

The right to be forgotten has been enshrined in GDPR as the right to erasure. This is slightly more encompassing than the original Google vs Spain rules, giving an individual the right to have their personal data erased and prevent it being processed in specific circumstances.

Read more: what should a GDPR compliant privacy policy include?

Why is the right to be forgotten important?

The right to be forgotten provides important protections for privacy and helps promote agency and autonomy. It stems from the idea that individuals should have the ability to remove negative references and personal information about them from the internet, and that one’s prior misdeeds or errors in judgement should not come up on internet searches forever.

When does the right to be forgotten apply?

Under what circumstances is one eligible to be forgotten, i.e. to have their data removed or erased? In Article 17, the GDPR outlines the specific circumstances under which the right to erasure applies:

Under GDPR, when can someone ask to have their data erased?

Someone can ask to have their data erased if:

• They withdraw consent
• Where it’s not necessary in relation to the reason it was first collected
• The data was processed unlawfully
• Where the person objects and there is no overriding legitimate interest to continue the processing

GDPR right to erasure

How is the right to erasure applied under GDPR?

GDPR does not specify exactly what a valid request to erasure entails, and a request can be made either verbally or in writing. The request can be made to any member of your organisation; it does not have to be made to one designated contact. Each request will be evaluated individually. There are right-to-erasure template forms available to help individuals know what to include, and they’ll also need to attach evidence of their identity, evidence of the data subject’s identity (if different), authorisation from the data subject on their behalf (when relevant) and justification for erasure of the data.

When can the right to erasure be refused?

The right to erasure is balanced against other interests, however. Requests for erasure can be refused if:

• It would infringe on freedom of expression and information
• To comply with a legal obligation
• For public health purposes
• It is required for public interest, research or historical records purposes
• In defence of legal claims

If a request for erasure conflicts with record keeping policies, for instance employee data which must legally be retained for a set period of time, then the right to erasure does not override this.

Another complicating factor is the requirement under GDPR to be accountable. Even if you are able to comply with an erasure request, you can’t simply delete all instances of a person’s name from your system and never think about them again. Any request for erasure must be tracked, including the nature of the request and the fact it was executed. It may be that some of the data can be erased, but other parts must be kept, at the very least the fact there was information held about them and this was deleted following an erasure request. This is another feature of GDPR to be aware of. The fact you cannot comply with the request in totality does not mean it should be completely rejected.

This blog is the second in a series of GDPR Mythbusters VinciWorks will be publishing to help businesses determine between helpful guidelines and scary myths.