• Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • For Enterprise, Govt. & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • For Enterprise, Govt. & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

What Is The Right To Erasure: An Insight

  • author image

    Written By Shuja Khan linkdin

  • calender

    Updated on Feb 2, 2022

  • clock

    Min Reading 3 Min

Right to Erasure is defined in the Article 17 of the General Data Protection Regulation (GDPR) that governs how personal data must be collected, processed, and erased. 

This article will explain:

  • What is the Right To Erasure as per Article 17 GDPR?
  • What does the Right To Be Forgotten mean for organizations?
  • What is the importance of data erasure software for organizations?

The ‘Right To Erasure’ grants individuals the right to ask data controllers to erase their data within a reasonable time period, under certain circumstances. This tenet is a part of all leading global data protection regulatory frameworks. It’s also called the ‘Right To Be Forgotten’ or the ‘Right To Delete’. 

The idea seems simple enough. An individual asks (in writing, or verbally) a designated individual (or department) to delete their personal information. And someone, somewhere in the organization presses the delete key. However, in reality, it is never as simple as it sounds. Let’s understand the ‘Right to Erasure’ as mentioned in GDPR Article 17 and its implications for individuals and organizations. 

Beginning with the basics - What is GDPR?
Before we get to Article 17 of GDPR which talks about the Right to be Forgotten, let’s understand GDPR.

The General Data Protection Regulation (2016/679):

  • Is an EU legislation for data privacy and security.
  • Imposes a uniform data security law on all EU member countries.
  • Applies to any and all organizations, irrespective of their location, as long as they are collecting and dealing with data related to EU citizens. 
  • Came into effect on May 25, 2018.
  • Levies punishments and penalties (up to several million euros) on violators. 

The Right to Erasure As Per Article 17 of GDPR

Once on the Internet, always on the Internet. Not anymore. 

Article 17, GDPR, dates back to 2014. Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right only applies to data held at the time the request is received.
The Recitals 65 and 66 and in Article 17 of the GDPR state, 
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
This right to erasure got lot of media attention after the case of Mario Costeja González, a Spanish man vs. Google Spain where an EU court passed the following judgment:
"... Individuals have the right to ask search engines to remove irrelevant, inadequate, or no longer relevant data”. 

The right is further connected to Article 15. (Article 15 of the GDPR outlines people’s right to access personal information. Unless people have the right to do something (like request removal) about their personal information on the Internet, the right to access that information would make little sense. Now, the law has been passed in the EU and applies to situations concerning EU citizens. Let’s understand the specifics of the Right to be forgotten. 

How And When Can Individuals Request Data Erasure And Exercise Right To Be Forgotten?

Individuals can request (and organizations are required to) deletion of their personal data in the following scenarios.

  • The data is not necessary for the purpose for which it was originally collected. 
  • When the data subject withdraws consent for the data to be processed. And there is no legal ground for processing the data.
  • The data subject objects to processing his/her data. 
  • The data has been/is being processed unlawfully.
  • Data removal is necessary for compliance with a legal obligation.
  • Individual’s personal data is used by organization for direct marketing purposes and the individual objects to this processing.
  • The data pertains to a child or an adult who was a child when the data was collected. (Or when the data is processed to offer information society services to the child.)

If individuals wish to exercise their Right to Erasure and get their data deleted, they can submit written or oral requests to any member of the concerned organization. Organizations are liable to delete all such data, links to such data, and copies thereof without undue delay. An undue delay here usually means within 30 days.

The ‘Right To Be Forgotten’ is a step towards handing the control of their personal data in the hands of individuals. For organizations mishandling such data of individuals may have serious implications. Erasing customer data on request is challenging for organizations. Also, all requests of data removal may not be reasonable. Article 17 of GDPR offers some relief to organizations in the latter regard. It states that in certain situations organization's 'Right to Process Data' can override the 'Right to Erasure'.

Situations When Organizations Can Reject Customer Data Removal Requests

When the data is:

  • Being used in legal claims or for establishing a legal defense. 
  • Being used for exercising the right of freedom of information and expression. 
  • Required to comply with legal obligations or rulings.
  • Being used for carrying out tasks in the public interest. 
  • Necessary to be processed for public health purposes and serves the public interest.
  • Being processed for preventive or occupational medicine-related purposes.  (This is applicable only when a health professional who has the obligation of professional secrecy is processing the data).
  • Being used for scientific/historical research or statistical purposes in the public interest. (And the removal of the requested data will halt or impair the goal of the process being carried out).

Right To Be Forgotten - What Does It Mean For Organizations

Article 17 mentions that organizations have to comply with reasonable requests for data removal by data subjects without undue delay. 
It also includes the following points.

  1. Organizations or data controllers have to communicate the successful deletion of data to the data subjects (if requested).
  2. Organizations can charge a ‘reasonable’ fee for processing data removal requests. The fee should be based on the administrative costs of processing the request. And it should be promptly communicated to the individual who made the request.
  3. If the personal data has been made public by the data controllers or shared with other data controllers, all the recipients of such data should be informed about the erasure unless it is practically impossible or requires a disproportionate amount of effort. Available technology and the related costs of implementation should be considered. 
  4. No exemptions apply in the case of valid data deletion requests. Organizations have to remove the data from their active as well as backup systems. If immediate removal of data from backup systems is not possible, it should be made inaccessible till the time it is ultimately overwritten. Data subjects should be informed about such situations. 
  5. Other than situations previously mentioned where the Right to Erasure does not apply, organizations can reject deletion requests if the request is ‘excessive’ or ‘manifestly unfounded.’ Excessive means if the request overlaps other requests. Or it is a repetition of similar previous requests. 
  6. Manifestly unfounded means:
    1. The individual has no interest in exercising their Right to Erasure. For example, if they seek benefits from the organization in return for withdrawing the request.
    2. The request is made with malicious intent to harass the organization.
    3. The individual regularly sends such requests to cause disruption.
    4. The request is made by individuals targeting employees with whom they have grudges. 
    5. The individual makes unsubstantiated accusations in the request against the organization or any of its employees.
  7. If organizations reject erasure requests, they have to inform the individuals about three things. One, the reason for the rejection of the request. Two, their right to complain to a superior authority. And three, their right to seek enforcement through a judicial remedy.

Importance Of Data Erasure Software For Organizations

Several thought leaders have spoken against the Right To Be Forgotten. It has been labeled as ‘rewriting history’. Some see it as a censorious force that may reduce the quality and transparency of the Internet. While the debate still goes on, organizations need to comply to Article 17 of GDPR. Manual data deletion is laborious, difficult, and unreliable. Also, such methods don’t provide sufficient and valid proof of data deletion.

If organizations are not able to furnish such proof to individuals and authorities, their GDPR compliant status can come under question. Not to mention, there is also a chance for heavy monetary penalties.  In such situations, data erasure software solutions are indispensable. Purpose-built data erasure software like BitRaser can help you wipe user-data permanently, while producing evidence of deletion in form of erasure report and certificate. Data Erasure Certificate serves as verifiable audit trails. These can be used to prove compliance with GDPR as well as other international data privacy legislations. For example, BitRaser drive eraser uses 24 internationally recognized algorithms for data erasure. This renders the data 100% safe from the scope of recovery.

Trust the best data sanitization software to stay compliant with Article 17 of GDPR and several other data security and privacy legislation. 

FAQs

What Is The Right To Erasure?
Right to Erasure is defined in the Article 17 of the General Data Protection Regulation (GDPR) that governs how personal data must be collected, processed, and erased. The 'Right To Erasure' grants individuals the right to ask data controllers to erase their data within a reasonable time period, under certain circumstances.
What Is Right To Be Forgotten?
The 'Right To Be Forgotten means that individuals have a right under certain circumstances to ask organizations delete their personal data and remove links about them from the past. This is as per Article 17 of GDPR that mentions about right to be forgotten.
What is GDPR?

The General Data Protection Regulation (2016/679):

  • Is an EU legislation for data privacy and security.
  • Imposes a uniform data security law on all EU member countries.
  • Applies to any and all organizations, irrespective of their location, as long as they are collecting and dealing with data related to EU citizens.
  • Came into effect on May 25, 2018.
  • Levies punishments and penalties (up to several million euros) on violators.
How And When Can Individuals Request Data Erasure?

The Individuals can request data erasure in following cases when:

  • Data is not necessary for the purpose for which it was originally collected. 
  • The data subject withdraws consent for the data to be processed. And there is no legal ground for processing the data.
  • The data subject objects to processing his/her data. 
  • The data has been/is being processed unlawfully.
  • Data removal is necessary for compliance with a legal obligation.
  • Individual’s personal data is used by organization for direct marketing purposes and the individual objects to this processing.
  • The data pertains to a child or an adult who was a child when the data was collected.
When Can Organizations Reject Customer Data Removal Requests?

Organizations can reject customer data removal requests when the data is:

  • Being used in legal claims or for establishing a legal defense. 
  • Being used for exercising the right of freedom of information and expression. 
  • Required to comply with legal obligations or rulings.
  • Being used for carrying out tasks in the public interest. 
  • Necessary to be processed for public health purposes and serves the public interest.
  • Being processed for preventive or occupational medicine-related purposes.  (This is applicable only when a health professional who has the obligation of professional secrecy is processing the data).  
  • Being used for scientific/historical research or statistical purposes in the public interest.

BitRaser is NIST Certified

See All Certifications

Related Articles

NIST SP 800-88 Guidelines for Media Sanitization

Dec 14, 2019

What Is Degaussing: Pros, Cons and Alternative?

Dec 23, 2021

Use Of NIST 800-88 Standard For Drive Erasure

Jan 15, 2020


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2022 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!

Request Free License

Name*
Email*
Phone
Company
Country*
Number of Devices to Erase*
Details (If Any)
(*) Mandatory Fields

SUBMIT ENQUIRY

SUBMIT ENQUIRY

Usage:    Business   Personal
  • Captcha*
  • 1+6
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

  • Captcha*
  • 1+6
  • =

  Yes, I would like to receive information regarding BitRaser products and I can unsubscribe any time.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...