Especially if it should have been deleted…
To coin a famous phrase: “I never forget a face but, in your case, I’ll make an exception.”
Whoever would have thought that, in a culture of ever-pervasive social media and self-promotion, some people wouldn’t mind this – and actually want to be forgotten?
Especially when it comes to GDPR and the right to have your personal data deleted.
Yet, how many companies know exactly what’s what when it comes to holding and erasing others’ data?
And, similarly, how well versed are individuals in knowing what their rights are and ensuring that companies comply when they no longer have the right to retain it?
Well, here’s the low-down…
It’s all about the ‘right to erasure’
No, nothing to do with that great 80s pop duo, the ‘right to erasure’ is also known as the ‘right to be forgotten’.
Often going hand-in-hand with Subject Access Requests, it provides the right for individuals to have their personal data erased and can be requested either verbally or in writing to any part of an organisation.
Companies have one month to respond to the request although it’s worth remembering that the right is not absolute and only applies in certain circumstances.
Similarly, neither is it the only way in which the GDPR places an obligation on organisations to consider whether they ought to delete personal data.
Instances when the right to erasure applies…
People have the right to have personal data erased if:
- it’s no longer being used for the original purpose for which it was collected or processed;
- consent was the lawful basis for holding the data, and they then decide to withdraw this;
- legitimate interests were the basis for processing but they now object to it, and there’s no new, overriding legitimate interest to sustain it;
- the personal data is being used for direct marketing purposes and they now object to this;
- the data is being processed unlawfully!
- legal obligation enforces the erasure;
- it relates to data collected from children.
What organisations need to know…
There’s a legal responsibility to recognise when an individual has made a request and handle it accordingly.
So, it’s worth considering training for those staff who regularly interact with individuals and may receive a request so that they know what to do next.
It’s good practice to have a policy for recording details of the requests received, particularly those made by telephone or in person.
This may be something as simple as a log.
A fee can’t be charged for complying with a request for erasure.
Simple as. Them’s the rules.
The time to respond can be extended by a further two months.
This applies if the request is complex or several requests have been received from an individual.
Data collected from children holds an even greater right to erasure.
This reflects the enhanced protection of children’s information under the GDPR, especially in online environments – and particularly if original processing is based upon consent given when a child (even if they are now an adult), as they may not have been fully aware of the risks involved.
Other organisations may need to be notified about the erasure of personal data.
Specifically, when it’s been disclosed to others or been made public in an online environment (for example on social networks, forums or websites).
If personal data has been disclosed to others, each recipient must be notified.
And then informed of the erasure (unless this proves impossible or involves disproportionate effort). And, if asked, organisations must also inform the individuals about who their data has been disclosed to.
(Where personal data has been made public in an online environment, reasonable steps should be taken to inform other controllers processing the personal data to erase all links to, copies or replication of that data.)
Sometimes, though, the right to erasure doesn’t apply, such as when processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation (e.g. the need to keep employees’ details for 6 years once they’ve left);
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
In addition, organisations can refuse to comply with a request for erasure if it’s clearly unfounded or excessive (and if they do decide to deal with it can then request a ‘reasonable fee’ to do so, based on the admin costs involved).
Either way, they’ll need to justify their decision and inform the individual that they still have the right to make a complaint to the ICO or another supervisory authority.
Want to know more about correctly handling the right to erasure?
We’re always here to help so if there’s anything else you’re unsure about with the ‘right to be forgotten’ or its processes – from knowing how to recognise a request for erasure and understanding when the right applies to knowing when you can refuse one – do get in touch.
Which reminds us. Sometimes, we’re not so good at remembering names, let alone remembering whether we want to be forgotten or not. But, thanks to Asterix The Gaul, we can always recall our own company moniker...
That’s right. Someone from Asterix’s village inspired our name.
Closely related to the village chief, Vitalstatistix, (and neighbours with Fulliautomatix, the blacksmith, and the fishmonger, Unhygienix) – Databasix was the extremely numerate one.
Possibly. But at least now you’ll never forget it!
Until next time...