Written By Shuja Khan
Updated on Feb 2, 2022
Min Reading 3 Min
Right to Erasure is defined in the Article 17 of the General Data Protection Regulation (GDPR) that governs how personal data must be collected, processed, and erased.
This article will explain:
The ‘Right To Erasure’ grants individuals the right to ask data controllers to erase their data within a reasonable time period, under certain circumstances. This tenet is a part of all leading global data protection regulatory frameworks. It’s also called the ‘Right To Be Forgotten’ or the ‘Right To Delete’.
The idea seems simple enough. An individual asks (in writing, or verbally) a designated individual (or department) to delete their personal information. And someone, somewhere in the organization presses the delete key. However, in reality, it is never as simple as it sounds. Let’s understand the ‘Right to Erasure’ as mentioned in GDPR Article 17 and its implications for individuals and organizations.
Beginning with the basics - What is GDPR?
Before we get to Article 17 of GDPR which talks about the Right to be Forgotten, let’s understand GDPR.
The General Data Protection Regulation (2016/679):
Once on the Internet, always on the Internet. Not anymore.
Article 17, GDPR, dates back to 2014. Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right only applies to data held at the time the request is received.
The Recitals 65 and 66 and in Article 17 of the GDPR state,
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
This right to erasure got lot of media attention after the case of Mario Costeja González, a Spanish man vs. Google Spain where an EU court passed the following judgment:
"... Individuals have the right to ask search engines to remove irrelevant, inadequate, or no longer relevant data”.
The right is further connected to Article 15. (Article 15 of the GDPR outlines people’s right to access personal information. Unless people have the right to do something (like request removal) about their personal information on the Internet, the right to access that information would make little sense. Now, the law has been passed in the EU and applies to situations concerning EU citizens. Let’s understand the specifics of the Right to be forgotten.
Individuals can request (and organizations are required to) deletion of their personal data in the following scenarios.
If individuals wish to exercise their Right to Erasure and get their data deleted, they can submit written or oral requests to any member of the concerned organization. Organizations are liable to delete all such data, links to such data, and copies thereof without undue delay. An undue delay here usually means within 30 days.
The ‘Right To Be Forgotten’ is a step towards handing the control of their personal data in the hands of individuals. For organizations mishandling such data of individuals may have serious implications. Erasing customer data on request is challenging for organizations. Also, all requests of data removal may not be reasonable. Article 17 of GDPR offers some relief to organizations in the latter regard. It states that in certain situations organization's 'Right to Process Data' can override the 'Right to Erasure'.
When the data is:
Article 17 mentions that organizations have to comply with reasonable requests for data removal by data subjects without undue delay.
It also includes the following points.
Several thought leaders have spoken against the Right To Be Forgotten. It has been labeled as ‘rewriting history’. Some see it as a censorious force that may reduce the quality and transparency of the Internet. While the debate still goes on, organizations need to comply to Article 17 of GDPR. Manual data deletion is laborious, difficult, and unreliable. Also, such methods don’t provide sufficient and valid proof of data deletion.
If organizations are not able to furnish such proof to individuals and authorities, their GDPR compliant status can come under question. Not to mention, there is also a chance for heavy monetary penalties. In such situations, data erasure software solutions are indispensable. Purpose-built data erasure software like BitRaser can help you wipe user-data permanently, while producing evidence of deletion in form of erasure report and certificate. Data Erasure Certificate serves as verifiable audit trails. These can be used to prove compliance with GDPR as well as other international data privacy legislations. For example, BitRaser drive eraser uses 24 internationally recognized algorithms for data erasure. This renders the data 100% safe from the scope of recovery.
Trust the best data sanitization software to stay compliant with Article 17 of GDPR and several other data security and privacy legislation.
The General Data Protection Regulation (2016/679):
The Individuals can request data erasure in following cases when:
Organizations can reject customer data removal requests when the data is:
|US Department of Defense, DoD 5220.22-M (3 passes)|
|US Department of Defense, DoD 5200.22-M (ECE) (7 passes)|
|US Department of Defense, DoD 5200.28-STD (7 passes)|
|Russian Standard – GOST-R-50739-95 (2 passes)|
|B.Schneier’s algorithm (7 passes)|
|German Standard VSITR (7 passes)|
|Peter Gutmann (35 passes)|
|US Army AR 380-19 (3 passes)|
|North Atlantic Treaty Organization-NATO Standard (7 passes)|
|US Air Force AFSSI 5020 (3 passes)|
|Pfitzner algorithm (33 passes)|
|Canadian RCMP TSSIT OPS-II (4 passes)|
|British HMG IS5 (3 passes)|
|Pseudo-random & Zeroes (2 passes)|
|Random Random Zero (6 passes)|
|British HMG IS5 Baseline standard|
|NAVSO P-5239-26 (3 passes)|
|NCSG-TG-025 (3 passes)|
|5 Customized Algorithms & more|