Under the GDPR, the right of Data Erasure enables an EU resident to request that their Personal Data be erased. Such a request is referred to as “Erasure Requests”. The right to Erasure is also known as “The right to be forgotten”.
However, it is important to understand that this right is not absolute, and only exists in certain circumstances. For example, Personal Data which is held on the grounds of performance of a contract does not fall under the right of of Data Erasure.
FAQ #1 ~ Under what circumstances does the right of Data Erasure occur?
The right of Data Erasure would normally arise when at least one of the following situations occurs:
- If you have been, or are still Processing the Personal Data unlawfully;
- If you have to erase the Personal Data in order to comply with your legal obligations;
- If the Personal Data being held is no longer required for the original purpose for which it was provided, collected or processed;
- If you are only Processing the individual’s Personal Data for the purposes of direct marketing and the individual objects to that Processing;
- If you have been relying solely on explicit consent, but the individual has since withdrawn their consent, and you have no other Lawful Basis for continuing to Process this Personal Data;
- If you have been relying on Legitimate Interest for Processing the Personal Data, but the individual objects to the Processing, and there is no overriding Legitimate Interest that justifies continued Processing.
FAQ #2 ~ When does the right to erasure not apply? *1
According to the GDPR, the right of Data Erasure does not apply if Processing is necessary for one of the following reasons:
- to comply with a legal obligation;
- to exercise the right of freedom of expression and information;
- for performing a task which is carried out in the public interest, or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research, historical research or statistical purposes, where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
For more information about special categories of data please see our Guide to the GDPR.
FAQ #3 ~ How do I know if I have received a right to Data Erasure Request?
At the time of publishing this post, there is no official, or specific form that individuals must use to make an Erasure Request. A person can simply send a letter or email – even a ‘tweet’. They can also make an Erasure Request verbally. Also, there is no requirement for individuals to use the term ‘Erasure’ explicitly. Someone might simply request that you delete any, or all information that you hold on them.
Basically, any time an individual asks you to delete their Personal Data, you absolutely must treat this as an Erasure Request.
FAQ #4 ~ What should I do if I have doubts concerning the identity of the requestor – or if I cannot locate the related Personal Data?
If you have any concerns about the identity of the requestor, you should contact them and ask for the additional information you need in order to respond. However, you should not ask for more information than you need to fulfil this purpose.
Be sure to contact the individual as soon as possible after receiving the Erasure Request.
*1 Source: Information Commissioner’s Office (https://ico.org.uk) licensed under the Open Government Licence.
IMPORTANT: The answers given to the above questions are not conclusive and do not constitute legal advice. Individual circumstances may differ significantly. Contact The GDPR Guys for clarification and more information.