Close this search box.
AI-based solution designed to automate personal data discovery and classification
Discover personal data across multiple systems in the cloud or on-premise
Harbor cooperation between DPO, Legal Services, IT and Marketing
Turn data subject request into an automated workflow with a clear insight into data every step of the way
Collaborate with stakeholders and manage DPIA and LIA in real-time with Assessment Automation
Guide your partners trough vendor management process workflow
Identifying the risk from the point of view of Data Subject
Quickly respond, mitigate damage and maintain compliance
Consolidate your data and prioritize your relationship with customers
Privacy portal allows customers to communicate their requests and preferences at any time
Introducing end-to end automation of personal data removal

Latest Blog posts

Learn the terms

General Data Protection Regulation

Here you can find the official content of the Regulation (EU) 2016/679 (General Data Protection Regulation) in the current version. All Articles of the GDPR are linked with suitable recitals.

Latest papers

Right to be forgotten

The right to be forgotten or the right to erasure allows individuals (data subjects) to request from an organization (data controller) to delete their personal data.

When is the right to be forgotten applicable

Upon receiving a request the organization is obligated to erase data if:

• the personal data is no longer necessary for the purposes it was collected previously
• the individual withdraws consent and there is no ground for the processing of personal data
• the personal data have been unlawfully processed
• the individual objects to the processing that was based on legitimate interest, and the organization has no grounds to continue processing
• data erasure is necessary for compliance with a legal obligation in Union or Member State law
• the personal data have been collected in relation to the offer of information society services
• if the individual object to the use of personal data for direct marketing purposes

When can the data controller decline the request to delete data?

There are situations where organizations can decline a request if the processing is necessary for:

• exercising the right of freedom of expression and information
• compliance with a legal obligation which requires processing by Union or Member State law
• reasons of public interest in the area of public health
• archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• the exercise or defense of legal claims

The request could also be declined if the request is considered excessive or unfounded. However, every case should be reviewed separately and special circumstances of each case should be taken into account.

A request will be considered unfounded if the individual has the intention to cause disruption or to harras employees.

Legal deadline

Organizations should erase the data without undue delay and at least within one month after the request was received. There are certain situations where the deadline can be longer if:

• the individual is requested to confirm the identity (for example, provide a copy of an ID)
• the organization charges a fee (this can only be applicable in certain situations and is advised to avoid)

Response time can be further extended by two months if the organization has received more requests from one individual or if the request is complex.

However, the controller should notify an individual within one month from receiving the request and explain the circumstances and the reasons behind the extension.

All glossaries
  • All
  • A
  • B
  • C
  • D
  • E
  • F
  • G
  • H
  • I
  • K
  • L
  • M
  • N
  • O
  • P
  • R
  • S
  • T
  • U
  • V
Scroll to Top