This article gives a practical explanation of the new GDPR data privacy ‘right to erasure’ and the steps organisations should take to ensure GDPR compliance.
By: Sarah Piron
Firm: Claeys & Engels
From 25 May 2018, the ‘right to be forgotten’, which currently exists only ‘digitally’, will be extended by Article 17 of the General Data Protection Regulation (GDPR).
The European Court of Justice first established European citizens’ right to ask search engines to ‘deindex’ certain information concerning them under certain conditions in its judgment on the Google Spain v AEPD case of 13 May 2014. In particular, the Court stated that this right to be forgotten only applied to information concerning a ‘private’ individual (as opposed to a public entity). Although restricted, this newly created right generated much publicity and public interest.
Article 17 of the GDPR extends the right to be forgotten, specifying that the data subject has the right to have personal data concerning him or her erased by the data controller, as soon as possible. In this article we address some practical questions related to this new provision.
In what circumstances does the right to erasure apply?
This right to erasure is not an absolute right. Article 17 of the GDPR provides six cases in which the data subject may request the erasure of his or her personal data:
- when the personal data concerned is no longer necessary for the purposes for which it was collected or otherwise processed by the controller;
- when the data subject withdraws consent to processing of the data and there is no other legal basis for processing (e.g. sensitive data);
- when the data subject objects to processing based on legitimate public interest by the controller or a third party and there is no overriding legitimate reason for the processing (Article 21.1 of the GDPR);
- when the data subject objects to processing of his or her data for direct marketing purposes, including profiling, to the extent that it is related to such direct marketing (Article 21.2 of the GDPR);
- when the personal data has been the subject of unlawful processing;
- when the personal data must be erased to comply with a legal obligation under European Union or Member State law to which the controller is subject;
- when the personal data has been collected as part of an online service offered to children (in accordance with Article 8 of the GDPR) and therefore relates to a minor.
Although this list is exhaustive, it covers a large number of cases. Moreover, the right to object, where erasure can be requested (described in the third and fourth bullets above), is also extended by the GDPR:
‘The data subject shall have the right to object on grounds relating to his or her particular situation at any time, to processing of personal data concerning him or her based on [the execution of a public interest mission or arising from the exercise of public authority of which the controller is responsible, or legitimate interests pursued by the controller or a third party], including profiling based on these [situations]’ (Article 21 GDPR).
However, it should be emphasised that this right to erasure or to be forgotten will be overridden in a few specific cases where a higher interest is at stake. These are:
- the exercise of the right to freedom of expression and information;
- compliance with an EU or Member State legal obligation;
- a public interest reason in the public health field;
- archiving in the public interest, or processing for scientific, historical research or statistical purposes, where the right to erasure or to be forgotten is likely to make prevent or seriously compromise the achievement of the objective of the processing.
What are the controller’s obligations?
When the data subject requests the erasure of his or her personal data in one of the cases above, the data controller must delete the personal data concerned ‘as soon as possible’ and in any case within a maximum of one month after the request.
If the controller has made the personal data involved public and finds himself in a situation where he is obliged to erase it, he must take ‘reasonable measures, including technical ones’, taking into account the available technologies and the costs of implementation, to inform controllers processing such personal data that the data subject has requested its erasure, including any link to, copies or reproduction of it.
In accordance with Recital 59 of the GDPR, if controllers do not intend to follow up on a data subject’s request for deletion, they must give reasons for their refusal.
Article 13 of the GDPR states that the data controller must indicate to the data subject ‘the retention period of the personal data or, where this is not possible, the criteria used to determine this duration’. This is also likely to reinforce the idea that there is a right to erasure of certain information after the expiry of a certain period.
What penalties apply?
The GDPR allows each supervisory authority to impose administrative fines for non-compliance with its provisions. The amount depends on the provisions violated.
Regarding “rights which can be exercised by the data subjects”, including the right to be erased or forgotten, in the event of non-compliance with the rules above the controller may be liable to an administrative fine of up to EUR 20 million or, in the case of a company, an amount corresponding to 4% of the total annual global turnover for the previous year.
Organisations need to consider how to address the right to erasure, and if necessary to adapt internal processes concerning personal data processing. In particular they should:
- Put in place mechanisms to verify that personal data is not retained longer than necessary in the context of a data retention policy.
- Provide data subjects with clear information and practical ways to implement their right to be forgotten or erased (for example, by explaining how to make a request of the controller). This can be done as part of the process of fulfilling their obligation to inform (in practice, by a statement or a notice of confidentiality).
- Put in place a system to control the disclosure of personal data to other data controllers.
- Set up internal regulations for the employees who are responsible for processing personal data (HR department, marketing, etc.), explaining the rules and procedures to be followed when data subjects invoke the right to erasure.
- Implement a procedure to enable the controller to inform other controllers, efficiently and in a timely manner, of the erasure request made by the data subject and to ensure the effective deletion of links to or copies of the data in question.