What is the right to be forgotten?
How should a company comply with the GDPR rules on data erasure?
What happens in the event of non-compliance?
In this article, we will break down the concept of the right to be forgotten under GDPR.
We will define what it is, how a request is received and recognized, in what cases should a company accept or refuse to erase data, possible sanctions and more.
Are you ready?
Let’s get started!
What is the right to be forgotten under GDPR?
The right to be forgotten or the right to erasure is a right given to individuals by GDPR to have their personal data erased.
Article 17 GDPR establishes a data subject’s right to be forgotten by stating:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”
This right can be exercised in certain circumstances and cannot necessarily be exercised in all cases.
When can a person exercise the right to be forgotten?
A person can exercise the right to be forgotten in the following cases:
- The company data collection purpose has been achieved and the data is no longer necessary
- If a company was processing based on the lawful basis of consent and the data subject withdraws the consent
- When the data subject’s rights and freedoms override a company’s legitimate interest in processing data
- When a person objects to the processing of personal data for direct marketing purposes
- Data processing violated the law
- A company must erase personal data to comply with a judgment of the court
- When personal data was processed to give information society services to children
Right to be forgotten Google
The concept of the right to be forgotten comes from the Google Spain SL case involving Mario Costeja Gonzalez.
On March 5, 2010, Mario Costeja Gonzalez, a citizen of Spain, filed a claim against Google Spain SL related to search results appearing when typing his name on Google.
By typing the plaintiff’s name on Google, people could see results relating to the confiscation of his house and he did not want that result to appear on search engine result pages.
The Court of Justice of the European Union found that Google Inc. was a data processor as it collected data, retrieved data, recorded it, organized it, indexed it, stored it on its servers and disclosed it or made it available to its users.
Also, since Google Spain was an affiliated company to Google, so Google Inc. was subject to the EU Directives.
The CJEU decided that Mr. Gonzalez had the right to request the erasure of his personal data from Google and Google has an obligation to comply with that request.
This decision confirmed a person’s right to be forgotten and ultimately this right has been codified in GDPR.
Relationship of right to be forgotten and the right to access personal data
The right to obtain the erasure of data complements the data subject’s right to access and obtain a copy of their personal information.
As a logical consequence, if a data subject has the right to get a copy of their data and discovers that a company does not have a lawful basis to process their data, for instance, he or she may request the erasure of the data.
The right to erasure is not absolute, however.
Companies can find another lawful basis to process personal data or identify their legitimate interests overriding the data subject’s rights.
If that were to be the case, then the data subject could not demand the erasure.
Right to be forgotten request
Just like any other rights granted to data subjects under GDPR, there are no specific rules as to how a data subject should submit a request to exercise his or her right to be forgotten.
A request can be made by email, through social media channels, letters or even fax.
It’s also important to note that a request can be made to any employee or representative of an organization and does not have to be submitted to a specifically designated person.
To make things a bit more complicated, a request can be considered a valid request if it’s done verbally as well.
Recognizing a request for data erasure
When a request is submitted, the organization should immediately assess whether or not it will recognize the request as the exercise of a person’s right to be forgotten.
In most cases, the company will have to recognize the request.
If a company does not recognize the request, it’s best practice to immediately reach out to the data subject to have the request clarified or completed.
In how long should a company comply with a request to erase personal data?
Article 12 GDPR outlines the procedural requirements to comply with a data erasure request.
From the moment a request has been submitted, a company will have one month to process the request.
Depending on the complexity and the nature of the request, a company can extend the processing delay by an additional two months.
To do that, a company must inform the data subject within the initial delay of one month that it will need more time to process the request.
The company must also provide justification as to why it is extending the time period to respond to the request for data erasure.
When will a company’s rights to process data override the right to be forgotten?
In the following cases, a company’s rights to process day may override the data subject’s right to be forgotten:
- When a company has to comply with a legal obligation
- When a company must comply with a court order
- When data is used to perform a task in the interest of the public
- Data is processed to prevent health hazards and risks
- For scientific, historical or statistical purposes when the erasure can hamper the object or make it impossible to achieve
Can a company charge fees to erase personal data?
The rule is that a company cannot charge a fee to the data subject when exercising his or her rights under GDPR.
As a result, a company must comply with an individual’s request free of charge.
In some cases though, a company may have the option to demand fees to process the erasure of personal data.
If a request is manifestly unfounded or excessive, a company can demand reasonable fees to cover its administration cost.
Administration cost is not defined under GDPR, so a company must consider the overall nature of the request and the effort required in erasing the personal data or reaching out to third-party organizations to determine the cost on a case-by-case basis.
Companies should make sure they can justify their request for a fee.
If not, data subjects may argue that the company is obstructing their ability to exercise their right.
What happens if a company has shared personal data with others?
In some circumstances, a data controller or data processor must erase a person’s personal data further to the person’s right to erasure.
What happens when a company is required to erase personal data but they’ve shared the same data to other companies?
In such cases, the company must request that the other organizations erase the data as well.
If a company has made the personal data available on social media, forums, websites or another public online environment, the company must also take measures to erase the data subject’s data from that environment.
The exception to this requirement is that it’s impossible to contact the other organizations to whom personal data was disclosed or the effort in doing that will be highly disproportionate.
Should a company erase personal data in its backup systems?
A company’s obligation to erase data does not distinguish where the personal data is held.
Whether the personal data is held in a backup system, in a quality assurance system or product system, the personal data must be erased.
A company must take the necessary measures to erase the data even in its backup system.
If a company is unable to immediately erase the personal data from its backup system, until the data is erased or overridden through the normal course, it must ensure that the personal data is not used.
The Information Commissioner’s Office of the UK indicates that the personal data should be put “beyond use”.
Can a company refuse to erase a person’s data?
A company should consider erasing personal data when the right to be forgotten has been exercised by a data subject.
There is an exception that companies should be aware of.
Article 12(5) GDPR states that:
“where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either: (a) charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or (b) refuse to act on the request”.
Based on this article, a data controller or data process has the right to refuse or reject a subject request provided it has the ability to demonstrate that the request is excessive or unfounded.
What is a manifestly unfounded request?
GDPR allows a data controller or data processor to either charge a fee or reject a data subject’s right to erasure if the request is manifestly unfounded.
The term ‘manifestly’ refers to a request that is obvious or leaves no doubt that it is unfounded.
Companies should carefully assess a subject access request before rejecting it to ensure that the request is indeed manifestly unfounded.
Here are some examples of manifestly unfounded requests:
- A person has filed a request to get monetary advantages from the company
- The person’s request clearly shows that the objective is to disrupt the company operations
- The request is a person’s way to attack an employee of your company
- The person’s request is malicious
- The person is using the SAR as a means to harass the organization
What is an excessive request?
A data subject request can also be excessive in nature justifying its rejection.
An excessive request is when a person’s demands are excessive in nature or repetitive.
Companies should carefully assess a request before qualifying it as an excessive request though.
The burden to demonstrate that a request was excessive is on the organization’s shoulder.
Here are some examples of an excessive request:
- Repeatedly requesting the same thing over and over
- The request overlaps with another request
- Submitting the same requests through multiple channels
What’s advisable is that a company assesses the request carefully before rejecting it.
It may be a good practice to reach out to the data subject in order to clarify the request or better scope the request in such a way to eliminate its excessive nature.
If a data subject is unaware of the excessive nature of the request, they may request information in good faith not knowing any better.
Granted, some other individuals may know exactly what they are doing.
Rather than rejecting a request outright, it may be worth considering the option to have the request clarified.
Data erasure request impossible to handle or disproportionate
GDPR recognizes that it may be a significant obligation for a company to erase data when a company may have thousands, if not millions, of processes.
Also, the nature of the personal data is quite relevant.
Erasing non-sensitive data versus erasing special categories of data will impose different obligations on a company.
Article 19 GDPR states the following:
“The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it”
A company may refuse to erase personal data when it proves to be impossible or involves a disproportionate level of effort.
The burden of proof is on the company to demonstrate that it’s impossible or disproportionate.
Companies should carefully assess the request and make sure they can justify a refusal based on Article 19 GDPR.
How to notify the data subject of the request being rejected?
A data controller or data processor has the obligation to respond to the data subject’s request within one month from the request.
If a company intends to fully or partially reject the data subject’s request, it must inform the data subject of its decision in writing within the required timeline.
The data subject must be informed as to why his or her request has been rejected, their right to make a complaint with the relevant supervisory authority and their right to take action before judicial courts.
Infringement of data subject’s right of access
Article 83 GDPR allows the supervisory authorities to issue administrative fines in the event of non-compliance or the infringement of GDPR.
Depending on the nature of the infringement, GDPR classifies it in two categories.
One category is for serious infringement to GDPR whereby the fines can reach the greater of €20,000,000 or 4% of a company’s global annual turnover.
The other category is for less serious infringement cases where fines can reach the greater of €10,000,000 or 2% of a company’s global annual turnover.
The violation of Article 17 GDPR having to do with the data subject’s right to be forgotten is a serious breach under GDPR (Article 83(5)(a) GDPR) exposing a company to GDPR fines in the amount equal to the greater of €20,000,000 or 4% of a company’s global annual turnover.
In addition, failure to observe the Article 12 GDPR requirements with regards to providing a data subject with supplementary information in response to a data subject exercising his or her right to be forgotten is considered a serious breach of GDPR (Article 83(5)(b) GDPR) and as such will expose a company to fines in the amount representing the greater of €20,000,000 or 4% of a company’s global annual turnover.