Right to be forgotten

The right to be forgotten or the right to erasure is the right of the data subject to ask for the erasure of personal data from the data controller.

Statutory deadline

The data controller should erase the data without undue delay and at least within one month after the request was received. There are certain situation where the deadline can be longer:

  • if the data subject is requested to confirm the identity (for example provide a copy of an ID)
  • or if the data controller charges a fee (this can only be applicable in certain situations and is advised to avoid)

Response time can be further extended by two months if the data controller (the organization) has received more requests from one data subject or if the request is complex. However, the controller should notify an individual within one month from receiving the request and explain the circumstances and the reasons behind the extension.

When is the right to be forgotten applicable

There are several grounds where the right is applicable:

  • The personal data is no longer necessary in relation to the purposes for which they were collected
  • The data subject withdraws consent and there is no legal ground for the processing of personal data, meaning the lawful basis for processing no longer exists.
  • The personal data have been unlawfully processed;
  • Data subject objects to the processing and the data controller has no overriding grounds to continue processing (Article 21 (1)(2))
  • Data erasure is necessary for compliance with a legal obligation in Union or Member State law to which the controller is subject
  • the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

When can the data controller decline the request to delete data?

There are situations where organizations can decline data subjects’ request if the processing is necessary:

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law or for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for reasons of public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
  • for the establishment, exercise or defense of legal claims.