The right to be forgotten is a part of GDPR law that can be tricky to comply with. How do companies fulfil this requirement? Read on to find out.
What is the Right to be Forgotten?
Under Article 17 of the UK GDPR, an individual can request that their personal data be erased. This is known as the ‘right to be forgotten' or the 'right to erasure'.
A ruling made by the Court of Justice of the European Union declared that individuals have the right to ask (verbally or in writing) search engines like Google to delist certain results for queries on the basis of a person’s name.
The search engine must comply if the links in question are 'inadequate, irrelevant or no longer relevant or excessive', taking into account public-interest factors including the individual’s role in public life. Since that ruling in May 2014, Google has received over 1 million requests to have URLs delisted.
When does the Right to be Forgotten apply?
The right to be forgotten is not absolute and only applies in certain circumstances. An organisation must comply with an individual's request to have their personal data erased if:
- The personal data is no longer necessary for the purpose it was originally collected or processed for
- They're relying on consent as their lawful basis for holding personal data and the individual withdraws their consent
- They rely on legitimate interests as their basis for processing, the individual objects to the processing of their data and there is no overriding legitimate interest to continue this processing
- They're processing the personal data for direct marketing purposes and the individual objects to that processing
- An individual's personal data has been processed unlawfully
- In order to comply with a legal obligation
- They've processed the personal data to offer information society services to a child
How should organisations respond to requests?
Upon receiving a request from a data subject, an organisation has a month to delete your data (unless there's an exemption that applies).
They're also required to tell others they have shared your data with about the erasure. They can only refuse to do this if it would be impossible or involve a disproportionate effort. If asked, they must also tell you that they have shared your data with other organisations.
If your data has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites to erase links or copies of that data.
Can you reject a request to delete personal data?
Sometimes an organisation’s right to process an individual's data takes precedence over their right to be forgotten. Here are the reasons cited in the GDPR when this may occur:
- The data is being used to exercise the right of freedom of expression and information
- The data is being used to comply with a legal ruling or obligation
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority
- The data being processed is necessary for public health purposes and serves the public interest
- The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely impair or halt progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of a legal defence or in the exercise of other legal claims.
What happens if you breach this fundament right?
Belgium's data protection authority (APD) issued its largest-ever fine (€600,000) to Google, for failing to implement the right to be forgotten.
Google failed to delete links to "obsolete" news stories, which were considered to be harmful to the reputation of a person with a public profile in Belgium. These stories appeared in search results linked to the person's name, which resulted in their regular harassment.
The APD ruled that Google was negligent as they were in possession of clear evidence that the content of these news stories was outdated and irrelevant. Google was ordered to stop referencing the stories within Europe, and publish less ambiguous information about who is responsible for handling 'right to be forgotten' requests.
Want to learn more about GDPR?
If you'd like to stay up to date with GDPR best practices, industry insights and key trends across regulatory compliance, digital learning, EdTech and RegTech news, subscribe to the Skillcast Compliance Bulletin.
To help you navigate the compliance landscape we have collated searchable glossaries of key terms and definitions across complex topics including GDPR, Equality, Financial Crime and SMCR. We also regularly report key learnings from recent GDPR fines. And if you're looking for a compliance training solution, why not visit our GDPR Course Library?.
You can follow our ongoing YouGov research into compliance issues, attitudes and risk perceptions in the UK workplace through our Compliance Insights blogs.
Last but not least, we have 60+ free compliance training aids, including assessments, best practice guides, checklists, desk-aids, eBooks, games, handouts, posters, training presentations and even e-learning modules!
If you've any questions or concerns about compliance or e-learning, please get in touch.
We are happy to help!