What is the GDPR’s “Right to Erasure”?

The “Right to Erasure”, also known as the “right to be forgotten”, is one of the eight data subject rights mandated by the General Data Protection Regulation (GDPR).

According to Article 17 of the GDPR, data subjects have the right to request the erasure of all personal data held about them by a data controller (an organisation who controls the purpose of and means by which one’s personal data is processed). The legislation goes on to say that, given certain grounds for erasure, the data controller must do so without “undue delay” and within one month of their receipt of the request.

Whether you want to take more control over your personal data, or are a business trying to achieve GDPR compliance, here’s what you need to know about the Right to Erasure.

When does the Right to Erasure apply?

While certain organisations are legally required to comply with these requests, they only need to do so under the following conditions:

1. Your personal data is no longer required or used for the purposes for which they were collected.
2. The data controller had initially collected and kept your data on the lawful basis of your consent, which you have withdrawn.
3. You exercise your Right to Object to processing and there are no other overriding legitimate grounds for processing.
4. Your personal data have been unlawfully processed.
5. The data controller must erase your data in order to comply with legal obligations that they are subject to.
6. The data was personal data collected from children via information society services, that is, “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.”

Some common examples of these services are apps and websites such as social media, online shops, and streaming platforms.

The GDPR also notes the circumstances in which the Right to Erasure doesn’t apply, which includes:

• Exercising the right of freedom of expression and information.
• Complying with legal obligations which require processing of the data in question.
• Reasons of public interest in public health.
• Archiving purposes in the public interest, scientific, historical research, or statistical purposes, provided the processing is done in compliance with Article 89 of the GDPR.
• The establishment, exercise, or defence of legal claims.

How do I request the right to be forgotten?

The GDPR doesn’t specify a particular method or format to request the erasure of your personal data. Generally, one can simply contact the relevant data controller and provide a written or verbal request to have their information erased.

Depending on the organisation you’re dealing with, you may need to provide certain details such as personal identification, contact information, the reason why you want your data to be erased, and state which information specifically you’d like to be erased.

Generate a GDPR privacy policy for your small business

Create a custom GDPR-compliant policy in minutes with our privacy policy generator. Generate your privacy policy now.