What is the Right to Erasure?
Defined in Article 17, Right to Erasure is one of the data subject rights covered in Chapter 3 of the General Data Protection Regulation (GDPR).
Right to Erasure Summary
- Right to erasure introduces an individual’s rights to request deletion of their personal data
- Right to erasure is also referred to as the right to be forgotten
- This is not an absolute right and only applies in certain circumstances
- Requests for erasure can be made verbally or in writing
- Erasure requests to an organization (data controller) must be processed without undue delay and within one month from when the request is received
- Exceptions apply to extend an organization’s response by an additional two months
Business Considerations for Organizations to Understand
When does the right to erasure apply?
The GDPR provides that individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you initially collected or processed it for
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent
- you are relying on legitimate interests as your basis for processing when the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing
- you are processing the personal data for direct marketing purposes and the individual objects to that processing
- you have processed the personal data unlawfully (i.e., in breach of the lawfulness requirement of the 1st principle)
- you have to do it to comply with a legal obligation
- you have processed the personal data to offer information society services to a child
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information
- to comply with a legal obligation
- for the performance of a task carried out in the public interest or exercising official authority
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
- for the establishment, exercise or defense of legal claims
- some specific special cases of or about public health and health practitioners
Does personal data need to be erased from backup systems?
If an organization receives a valid request for erasure and no exemptions apply, they must take steps to extend erasure from any backup systems, in addition to live systems, where an individual’s data is stored. However, this is dependent upon the organization’s particular circumstances, including their retention schedule, particularly in the context of backup systems, and technical mechanisms available to perform the erasure.
It is necessary to be transparent with data subjects regarding specifically what will happen to their data once their erasure request is fulfilled. Transparency is important because an organization may choose to remove data from their live system to satisfy the request in the allotted time, but leave data within their backup environment to remain for a more extended period, until systematically overwritten with newer data. In such situations, it is vital to ensure that data remaining within backup systems are not used for any purposes, and will stay only for a limited amount of time.