Article 17 and Recitals 65 & 66 of the Applied GDPR relate to this right, which is also referred to as “the right to be forgotten”. This right includes an entitlement for individuals to ask to be given details of the recipients to whom the controller has disclosed the personal data which is the subject of the request for erasure.
Although individuals have the right to obtain erasure of their personal data without undue delay on request, the right is not absolute and controllers are only obliged to erase personal data in the circumstances specified in Article 17(1).
The right can be exercised when one of the following applies:
- consent is withdrawn and the controller has no other grounds for processing that personal data;
- the right to object to direct marketing has been exercised (Article 21(3));
- the right to object to processing has been exercised and there are no other grounds for processing.
or the data:
- is no longer necessary for the purpose(s) for which they were collected or otherwise processed;
- has been unlawfully processed;
- have to be erased to comply with a legal obligation on the controller;
- was collected in relation to information society services and relates to a child (or a child that has now reached maturity)
Action to be taken by controllers
- respond to the individual without undue delay and within one month to communicate the action, or inaction, taken;
- communicate the erasure to each recipient it has been disclosed to (Article 19);
- if the individual has requested to be informed about the recipients, communicate those details to to the individual (Article 19);
- where the controller has made public the personal data it is obliged to erase, it must take reasonable steps, including technical measures, to inform other controllers processing that personal data that the individual has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. (Article 17(2)).
Limitations and restrictions
There are limitations on the extent of the exercise of the right set out in Article 17(3) of the Applied GDPR if the processing is necessary:
- for exercising the right of free speech (journalism, literature, art etc)
- compliance with a legal obligation in relation to a task carried out by virtue of public interest or in exercise of official authority
- public interest in the area of public health
- archiving in the public interest, research or statistical purposes
- establishment, defence or exercise of legal claims
Refusing a request
Controllers may refuse to comply with all or part of the request for erasure but must be able to justify its decision.
Requests may be refused in cases where:
- none of the grounds in Article 17(1) apply;
- a limitation on the right set out in Article 17(3) can be justified in the particular circumstances;
- the request is manifestly unfounded or excessive, in particular if it is repetitive;
- a restriction on the right can justified in the particular circumstances (Article 23).
Non-compliance with requests to exercise rights
If the controller is not taking action on the request of the individual to exercise any right, it must inform the individual “without delay” (and within ONE month of receipt of the request) about:
- the reasons for not taking action; and
- their remedies, in particular the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.