The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients.
Question: Do companies always have to honor right to be forgotten requests?
Answer: No. Although the GDPR indicates that people have a “right to be forgotten”, that right is not absolute. Rather it exists only in the following six limited situations:
- Companies must delete data upon request if data is no longer necessary. If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.1 On some level, however, the right to be forgotten may be redundant to other requirements found within the GDPR. Specifically Article 5 of the GDPR independently requires that a company keep data in a personally identifiable form “for no longer than is necessary for the purposes for which the personal data are processed.”2 As a result, if a company properly complies with Article 5 of the GDPR there may be few, if any, situations in which a right to be forgotten request that is premised on the fact that the data is no longer necessary requires that a company to take any additional action. On the other hand the existence of the right to be forgotten exposes a company that is not complying with Article 5 to additional civil liability vis-à-vis the individual that seeks to enforce their right.
- Companies must delete data upon request if the data was processed based solely on consent. The GDPR recognizes that companies may process data based on six alternate lawful grounds.3 One of these is where a person has “given consent” to the processing for a specific purpose.4 If a company’s sole basis for processing data is the consent of an individual, the company is typically required to honor a right to be forgotten request, which might for all practical purposes be viewed as a revocation of that consent. Conversely, if processing is based on an additional permissible purpose (g., performance of a contract) the right to be forgotten request does not necessarily have to be granted.
- Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a company can process data is to further the company’s “legitimate interest.” When processing is based upon a company’s legitimate interest, a data subject has a right to request deletion unless the controller’s or a third party’s interest is demonstrably “overriding.”5 So, for example, if a company uses an individual’s’ email address for direct marketing, and the individual requests that his information be deleted, the company may have to honor that request as it would be difficult for it to demonstrate that its interest in direct marketing overrides the individual’s interest in having his information erased.
- Companies must delete data upon request if data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.6 Here, too, the obligation to honor a deletion request may be redundant of other obligations within the GDPR. Put differently, if a company is complying with the other requirements of the GDPR its processing would presumably be lawful and there may be few, if any, situations in which a right to be forgotten request would require that the company take any additional actions. Framing this as an individual’s right, however, opens up an additional source of civil liability for the company towards the individual.
- Companies must delete data upon request, if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”7 This requirement also appears redundant to other legal obligations. If a company is required to erase data pursuant to another member state law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
- Companies must delete data upon request, if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.8
Even if one of the situations described above is present, a company does not always need to honor a right to be forgotten request. For example, a company can choose to decline such a request if honoring it would interfere with a legal obligation imposed on the company to maintain the data, or if the data is needed to establish, exercise, or defend a legal claim.9