Guide: Data Privacy

Right to be Forgotten

Although the EU is not the only regulatory body that gives citizens the right to be forgotten, the GDPR is by far the most comprehensive data privacy regulation that contains the right to be forgotten. Essentially, the right to be forgotten gives EU and UK citizens the right to request an organization to delete their personal data. But, organizations do not always need to comply.

In this article we explore the obligations when individuals exercise their right to be forgotten, this article covers the following topics:

 

To learn more about Data Privacy with Satori read our Data Privacy Guide.

What is the Right to be Forgotten?

The right to be forgotten, also known as the right to erasure, is a fundamental right under the General Data Protection Regulation (GDPR). It gives individuals the right to have their personal data erased from the records of a controller (an organization that processes personal data) and from the records of any processors (organizations that process personal data on behalf of a controller).

With the right to be forgotten, individuals can request that their personal data be erased from the records of a controller and any processors. They can also request that their personal data be erased from any online sources, such as social media platforms or search engines.

The right to be forgotten applies when:

  • The personal data is no longer necessary for the purposes for which it was collected
  • The individual withdraws their consent to the processing
  • The individual objects to the processing and there is no overriding legitimate interest in continuing the processing.

 

Under the GDPR, the right to be forgotten aims to protect individuals’ privacy while giving them more control over their personal data. Organizations need to have processes in place to handle right to be forgotten requests and to respect the rights of individuals.

Where Do People Have the Right to be Forgotten?

Individuals within the EU and EEA have the right to be forgotten under the GDPR. This right also extends to organizations outside of the EU and EEA that process the personal data of individuals within the EU and EEA. The right to be forgotten applies to the processing of personal data by controllers and processors, regardless of where the processing takes place.

Obligations When a Data Subject Exercises Their Right to be Forgotten

Under the General Data Protection Regulation (GDPR), a data controller (an organization that processes personal data) has several obligations when an individual exercises their right to be forgotten, also known as the right to erasure. These obligations include:

  • Responding to the request: The data controller must respond to the right to be forgotten request without undue delay, within one month of receiving the request. This period may be extended by two further months if the request is complex or if the controller has received a large number of requests.
  • Erasing the personal data: The data controller must erase the personal data of the individual from its records and from the records of any processors (organizations that process personal data on behalf of the controller).
  • Notifying third parties: If the data controller has disclosed the personal data of the individual to third parties, it must also inform those third parties about the right to be forgotten request and take reasonable steps to ensure that the personal data is erased from their records.
  • Documenting the request: The data controller must keep a record of the right to be forgotten request and the action taken in response to the request.

 

By fulfilling these obligations, data controllers can ensure that they are respecting the rights of individuals under the GDPR and protecting their privacy.

When Can an Organization Decline a Right to be Forgotten Request?

An organization may decline a right to be forgotten request if the personal data is necessary to:

  • Exercise the right to freedom of expression and information
  • Comply with a legal obligation
  • Perform a task carried out in the public interest
  • Establish, exercise, or defend legal claims

 

In addition, an organization may also decline a right to be forgotten request if the personal data is being processed for scientific, historical, statistical, or archival purposes, provided that the processing is necessary for these purposes. However, in these cases, the organization must implement appropriate safeguards to protect the rights and freedoms of the individual, such as pseudonymizing personal data or limiting access to personal data.

Best Practices for Complying with the Right to be Forgotten

Complying with a right to be forgotten request can cause disruptions in business processes. Data you thought you had can disappear at a moment’s notice. So, here are a few best practices for complying with a right to be forgotten request while minimizing disruptions to your processes:

  • Establish clear processes and procedures: Ensure all processes and procedures for handling right to be forgotten requests are clearly defined. This includes procedures for verifying the identity of the requestor, locating and retrieving the personal data, and erasing the personal data from the records of the controller and any processors.
  • Train employees: Employees should know and understand the processes and procedures for handling right to be forgotten requests, as well as their obligations under the GDPR.
  • Keep accurate records: Record all right to be forgotten requests, including the date of the request, the personal data that was requested to be erased, and the action taken in response to the request.
  • Respond promptly: Make sure to respond to right to be forgotten requests promptly and within the required timeframe.
  • Notify third parties: If the personal data has been disclosed to third parties, make sure to inform them about the right to be forgotten request and take reasonable steps to ensure that the personal data is erased from their records.

Conclusion

The right to be forgotten is a crucial right established within the GDPR. Although it can cause disruptions to business workflows, it provides citizens with more control over the use of their personal data. However, some circumstances allow organizations to decline a right to be forgotten request. 

Satori’s Data Security Platform can help you better comply with the right to be forgotten and applicable data regulations while minimizing business disruptions.

To learn more:

The information provided in this article and elsewhere on this website is meant purely for educational discussion and contains only general information about legal, commercial and other matters. It is not legal advice and should not be treated as such. Information on this website may not constitute the most up-to-date legal or other information. The information in this article is provided “as is” without any representations or warranties, express or implied. We make no representations or warranties in relation to the information in this article and all liability with respect to actions taken or not taken based on the contents of this article are hereby expressly disclaimed. You must not rely on the information in this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. This article may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites.