Embedded Files
The Right To Erasure
The Right To Erasure
What is the right to erasure?
What is the right to erasure?
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing;
- you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- you have to do it to comply with a legal obligation; or
- you have processed the personal data to offer information society services to a child.
Do they have to tell other organisations about the erasure of personal data?
Do they have to tell other organisations about the erasure of personal data?
The GDPR specifies two circumstances where you should tell other organisations about the erasure of personal data:
- the personal data has been disclosed to others; or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
If you have disclosed the personal data to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.
Do they have to erase personal data from backup systems?
Do they have to erase personal data from backup systems?
If a valid erasure request is received and no exemption applies then they will have to take steps to ensure erasure from backup systems as well as live systems. Those steps will depend on their particular circumstances, their retention schedule (particularly in the context of its backups), and the technical mechanisms that are available to them.
They must be absolutely clear with individuals as to what will happen to their data when their erasure request is fulfilled, including in respect of backup systems.
It may be that the erasure request can be instantly fulfilled in respect of live systems, but that the data will remain within the backup environment for a certain period of time until it is overwritten.
The key issue is to put the backup data ‘beyond use’, even if it cannot be immediately overwritten. They must ensure that they do not use the data within the backup for any other purpose, ie that the backup is simply held on your systems until it is replaced in line with an established schedule. Provided this is the case it may be unlikely that the retention of personal data within the backup would pose a significant risk, although this will be context specific. For more information on what we mean by ‘putting data beyond use’ see our old guidance under the 1998 Act on deleting personal data (this will be updated in due course).
When does the right to erasure not apply?
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
For more information about special categories of data please see our Guide to the GDPR.
Can they refuse to comply with a request for other reasons?
Can they refuse to comply with a request for other reasons?
They can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If they consider that a request is manifestly unfounded or excessive they can:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case you will need to justify your decision.
They should base the reasonable fee on the administrative costs of complying with the request. If they decide to charge a fee they should contact the individual promptly and inform them. They do not need to comply with the request until you have received the fee.
In more detail – Data Protection Act 2018
There are other exemptions from the right to erasure contained in the DPA 2018. These exemptions will apply in certain circumstances, broadly associated with why you are processing the data. Please see our guidance on the application of these exemptions.
What should they do if they refuse to comply with a request for erasure?
What should they do if they refuse to comply with a request for erasure?
They must inform the individual without undue delay and within one month of receipt of the request.
They should inform the individual about:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
They should also provide this information if you request a reasonable fee or need additional information to identify the individual.
How do they recognise a request?
How do they recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for erasure verbally or in writing. It can also be made to any part of your organisation and does not have to be to a specific person or contact point.
A request does not have to include the phrase 'request for erasure' or Article 17 of the GDPR, as long as one of the conditions listed above apply.
This presents a challenge as any of your employees could receive a valid verbal request. However, you have a legal responsibility to identify that an individual has made a request to you and handle it accordingly. Therefore you may need to consider which of your staff who regularly interact with individuals may need specific training to identify a request.
Additionally, it is good practice to have a policy for recording details of the requests you receive, particularly those made by telephone or in person. You may wish to check with the requester that you have understood their request, as this can help avoid later disputes about how you have interpreted the request. We also recommend that you keep a log of verbal requests.
Can they charge a fee?
Can they charge a fee?
No, in most cases they cannot charge a fee to comply with a request for erasure.
However, as noted above, where the request is manifestly unfounded or excessive they may charge a “reasonable fee” for the administrative costs of complying with the request.
How long do they have to comply?
How long do they have to comply?
They must act upon the request without undue delay and at the latest within one month of receipt.
They should calculate the time limit from the day after you receive the request (whether the day after is a working day or not) until the corresponding calendar date in the next month.
Example
An organisation receives a request on 3 September. The time limit will start from the next day (4 September). This gives the organisation until 4 October to comply with the request.
If this is not possible because the following month is shorter (and there is no corresponding calendar date), the date for response is the last day of the following month.
If the corresponding date falls on a weekend or a public holiday, you will have until the next working day to respond.
This means that the exact number of days you have to comply with a request varies, depending on the month in which the request is made.
Example
An organisation receives a request on 30 March. The time limit starts from the next day (31 March). As there is no equivalent date in April, the organisation has until 30 April to comply with the request.
If 30 April falls on a weekend or is a public holiday, the organisation has until the end of the next working day to comply.
For practical purposes, if a consistent number of days is required (eg for operational or system purposes), it may be helpful to adopt a 28-day period to ensure compliance is always within a calendar month.
Can they extend the time for a response?
Can they extend the time for a response?
They can extend the time to respond by a further two months if the request is complex or you have received a number of requests from the individual. You must let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
However, it is the ICO's view that it is unlikely to be reasonable to extend the time limit if:
- it is manifestly unfounded or excessive;
- an exemption applies; or
- you are requesting proof of identity before considering the request.
Can they ask an individual for ID?
Can they ask an individual for ID?
If you have doubts about the identity of the person making the request you can ask for more information. However, it is important that you only request information that is necessary to confirm who they are. The key to this is proportionality. You should take into account what data you hold, the nature of the data, and what you are using it for.
You must let the individual know without undue delay and within one month that you need more information from them to confirm their identity. You do not need to comply with the request until you have received the additional information.
[Your name]
[Your address]
[Your address]
[Your address]
[Your postcode]
[Date]
Data Protection Officer
[DCA Address 1]
[DCA Address 2]
[DCA Address 3]
[DCA Postcode]
NOTICE ISSUED PURSUANT ARTICLE 17 & ARTICLE 21 GDPR
I write pursuant to my rights granted under Article 17 of the General Data Protection Regulations. the right to erasure.
I hereby give you Notice that you must, within the time periods prescribed below, permanently cease processing all personal data of which I am the data subject. If you do not normally handle Data Protection Notices for your organisation, please pass this Notice to your Data Protection officer or another appropriate official.
THE MEANING OF THIS NOTICE
For the avoidance of doubt this Notice requires you to do all of the following:
(1) Within 3 days of receipt of this letter to cease or not to begin to:
(a) Obtain;
(b) Record; or
(c) Hold, any personal data of which I am the data subject (“my personal data”); and
(2) With immediate effect to cease or not to begin to carry out any operation or a series of operations involving my personal data including operations that would amount to the:
(a) Organisation, adaption or alteration;
(b) Retrieval, consultation or use;
(c) Disclosure by transmission, dissemination or otherwise making available; or
(d) Alignment or combination, of information or data.
GROUNDS FOR NOTICE
My grounds for giving you this Notice are:
(a) The processing of my personal data by you is causing or is likely to cause substantial damage to me and any person residing with me, due to a lack of ability to obtain credit caused by wrongful processing of my data
(b) The processing of my personal data by you is illegal as you do not have my consent.
(c) The processing of my personal data is illegal as we do not have a contract.
(d) The processing of my personal data is illegal as you have no proven legal obligation that applies to your organisation.
(e) The processing of my personal data is illegal as it is not necessary for you to protect my vital interests.
(f) In any case the damage and/or distress is unwarranted.
NO EXEMPTION FROM THE PROVISIONS OF ARTICLE 17 & 21 OF THE GENERAL DATA PROTECTION REGULATIONS
You are not excused compliance with this Notice under the provisions of Article 17 & 21 of the GDPR by virtue of the reasons set out below:
(1) I have not given you my consent to process my personal data.
(2) I am not a party to a contract with you.
(3) You have no proven legal obligation with which you must comply and which would permit you to process my personal data.
(4) No processing undertaken by you could be undertaken to protect my vital interests.
WHAT YOU MUST DO NEXT
In any event you must within 21 days of receiving this Notice give me Notice in writing stating:
(1) You have complied with the provisions of this Notice in full; or
(2) You have complied with the provisions of this Notice in part , stating which parts; and
(3) As to the parts not so complied with, your reasons for not doing so, including evidence that you can substantiate.
WARNING: CONSEQUENCES OF FAILURE TO COMPLY WITH THIS NOTICE
Should you fail to comply with the provisions of this Notice, I reserve absolutely the right to obtain, without further reference to you, a county court or High Court order to compel you to comply with this Notice together with an order that you pay my associated legal costs in full and for me to make an application for damages associated with your unlawful processing of my personal data.
Yours sincerely
[Your Name]
Google Sites
Report abuse