The right to erasure
Unlock This Video Now for FREE
This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.
The right to erasure or the “right to be forgotten” is not absolute and only applies in certain circumstances. An individual has the right to have their personal data erased if the personal data is no longer necessary for the purpose you initially collected and processed it for, or where you are relying on consent as your lawful basis processing and the individual then withdraws their consent. If you are relying on legitimate interests as your lawful basis for processing and the individual objects yet there is no overriding legitimate interest to continue the processing, the right to erasure remains.
If you are processing the data for direct marketing, if the individual is a child or if you have processed the data unlawfully, the individual has the right to erasure. This will also apply where you have to erase data to comply with a legal obligation.
If you have shared data that is subject to erasure with another organisation you will need to inform them. So when does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- To exercise the right of freedom of expression and information or to comply with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority, for archiving purposes in the public interest, or for scientific or historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing.
Note that it does not apply for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- Firstly, if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
- The request can be made verbally or in writing and to any part of your organisation, and you have 28 days to respond. You can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether or not the request is repetitive in nature.
- If you consider that a request is manifestly unfounded or excessive you can either request a "reasonable fee" to deal with the request, or simply refuse to deal with the request. In either case, you will need to justify your decision.
- You should base the reasonable fee on the administrative costs of complying with the request and if you decide to charge a fee you should contact the individual promptly and inform them. You do not need to comply with the request until you have received the fee.