The right to be forgotten or the right to erasure allows individuals (data subjects) to request from an organization (data controller) to delete their personal data.
When is the right to be forgotten applicable
Upon receiving a request the organization is obligated to erase data if:
• the personal data is no longer necessary for the purposes it was collected previously
• the individual withdraws consent and there is no ground for the processing of personal data
• the personal data have been unlawfully processed
• the individual objects to the processing that was based on legitimate interest, and the organization has no grounds to continue processing
• data erasure is necessary for compliance with a legal obligation in Union or Member State law
• the personal data have been collected in relation to the offer of information society services
• if the individual object to the use of personal data for direct marketing purposes
When can the data controller decline the request to delete data?
There are situations where organizations can decline a request if the processing is necessary for:
• exercising the right of freedom of expression and information
• compliance with a legal obligation which requires processing by Union or Member State law
• reasons of public interest in the area of public health
• archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
• the exercise or defense of legal claims
The request could also be declined if the request is considered excessive or unfounded. However, every case should be reviewed separately and special circumstances of each case should be taken into account.
A request will be considered unfounded if the individual has the intention to cause disruption or to harras employees.
Organizations should erase the data without undue delay and at least within one month after the request was received. There are certain situations where the deadline can be longer if:
• the individual is requested to confirm the identity (for example, provide a copy of an ID)
• the organization charges a fee (this can only be applicable in certain situations and is advised to avoid)
Response time can be further extended by two months if the organization has received more requests from one individual or if the request is complex.
However, the controller should notify an individual within one month from receiving the request and explain the circumstances and the reasons behind the extension.