Right to Erasure (Right to Be Forgotten) – art. 12, 17
A data subject has the right to have personal data permanently deleted. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing;
- you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- you have to do it to comply with a legal obligation; or
- you have processed the personal data to offer information society services to a child.
Implement a process and the technical capabilities to:
- track all data relating to requester in your systems,
- vet a right to erasure request,
- erase all data in the request, and
- confirm that erasure to the requester.
In addition, implement processes and technical capabilities to:
- Automatically delete data after a determined retention period, unless the data is still required.
- Inform other processors to whom data was passed of the request.
- Receive a right to erasure request from another data controller or processor, and to perform it.