This article will explain:
- What is the Right To Erasure as per Article 17 GDPR?
- What does the Right To Be Forgotten mean for organizations?
- What is the importance of data erasure software for organizations?
The ‘Right To Erasure’ grants individuals the right to ask data controllers to erase their data within a reasonable time period, under certain circumstances. This tenet is a part of all leading global data protection regulatory frameworks. It’s also called the ‘Right To Be Forgotten’ or the ‘Right To Delete’.
The idea seems simple enough. An individual asks (in writing, or verbally) a designated individual (or department) to delete their personal information. And someone, somewhere in the organization presses the delete key. However, in reality, it is never as simple as it sounds. Let’s understand the ‘Right to Erasure’ as mentioned in GDPR Article 17 and its implications for individuals and organizations.
Beginning with the basics - What is GDPR?
Before we get to Article 17 of GDPR which talks about the Right to be Forgotten, let’s understand GDPR.
The General Data Protection Regulation (2016/679):
- Is an EU legislation for data privacy and security.
- Imposes a uniform data security law on all EU member countries.
- Applies to any and all organizations, irrespective of their location, as long as they are collecting and dealing with data related to EU citizens.
- Came into effect on May 25, 2018.
- Levies punishments and penalties (up to several million euros) on violators.
The Right to Erasure As Per Article 17 of GDPR
Once on the Internet, always on the Internet. Not anymore.
Article 17, GDPR, dates back to 2014. Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the 'right to be forgotten'. The right only applies to data held at the time the request is received.
The Recitals 65 and 66 and in Article 17 of the GDPR state,
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
This right to erasure got lot of media attention after the case of Mario Costeja González, a Spanish man vs. Google Spain where an EU court passed the following judgment:
"... Individuals have the right to ask search engines to remove irrelevant, inadequate, or no longer relevant data”.
The right is further connected to Article 15. (Article 15 of the GDPR outlines people’s right to access personal information. Unless people have the right to do something (like request removal) about their personal information on the Internet, the right to access that information would make little sense. Now, the law has been passed in the EU and applies to situations concerning EU citizens. Let’s understand the specifics of the Right to be forgotten.
How And When Can Individuals Request Data Erasure And Exercise Right To Be Forgotten?
Individuals can request (and organizations are required to) deletion of their personal data in the following scenarios.
- The data is not necessary for the purpose for which it was originally collected.
- When the data subject withdraws consent for the data to be processed. And there is no legal ground for processing the data.
- The data subject objects to processing his/her data.
- The data has been/is being processed unlawfully.
- Data removal is necessary for compliance with a legal obligation.
- Individual’s personal data is used by organization for direct marketing purposes and the individual objects to this processing.
- The data pertains to a child or an adult who was a child when the data was collected. (Or when the data is processed to offer information society services to the child.)
If individuals wish to exercise their Right to Erasure and get their data deleted, they can submit written or oral requests to any member of the concerned organization. Organizations are liable to delete all such data, links to such data, and copies thereof without undue delay. An undue delay here usually means within 30 days.
The ‘Right To Be Forgotten’ is a step towards handing the control of their personal data in the hands of individuals. For organizations mishandling such data of individuals may have serious implications. Erasing customer data on request is challenging for organizations. Also, all requests of data removal may not be reasonable. Article 17 of GDPR offers some relief to organizations in the latter regard. It states that in certain situations organization's 'Right to Process Data' can override the 'Right to Erasure'.
Situations When Organizations Can Reject Customer Data Removal Requests
When the data is:
- Being used in legal claims or for establishing a legal defense.
- Being used for exercising the right of freedom of information and expression.
- Required to comply with legal obligations or rulings.
- Being used for carrying out tasks in the public interest.
- Necessary to be processed for public health purposes and serves the public interest.
- Being processed for preventive or occupational medicine-related purposes. (This is applicable only when a health professional who has the obligation of professional secrecy is processing the data).
- Being used for scientific/historical research or statistical purposes in the public interest. (And the removal of the requested data will halt or impair the goal of the process being carried out).
Right To Be Forgotten - What Does It Mean For Organizations
Article 17 mentions that organizations have to comply with reasonable requests for data removal by data subjects without undue delay.
It also includes the following points.
- Organizations or data controllers have to communicate the successful deletion of data to the data subjects (if requested).
- Organizations can charge a ‘reasonable’ fee for processing data removal requests. The fee should be based on the administrative costs of processing the request. And it should be promptly communicated to the individual who made the request.
- If the personal data has been made public by the data controllers or shared with other data controllers, all the recipients of such data should be informed about the erasure unless it is practically impossible or requires a disproportionate amount of effort. Available technology and the related costs of implementation should be considered.
- No exemptions apply in the case of valid data deletion requests. Organizations have to remove the data from their active as well as backup systems. If immediate removal of data from backup systems is not possible, it should be made inaccessible till the time it is ultimately overwritten. Data subjects should be informed about such situations.
- Other than situations previously mentioned where the Right to Erasure does not apply, organizations can reject deletion requests if the request is ‘excessive’ or ‘manifestly unfounded.’ Excessive means if the request overlaps other requests. Or it is a repetition of similar previous requests.
- Manifestly unfounded means:
- The individual has no interest in exercising their Right to Erasure. For example, if they seek benefits from the organization in return for withdrawing the request.
- The request is made with malicious intent to harass the organization.
- The individual regularly sends such requests to cause disruption.
- The request is made by individuals targeting employees with whom they have grudges.
- The individual makes unsubstantiated accusations in the request against the organization or any of its employees.
- If organizations reject erasure requests, they have to inform the individuals about three things. One, the reason for the rejection of the request. Two, their right to complain to a superior authority. And three, their right to seek enforcement through a judicial remedy.
Importance Of Data Erasure Software For Organizations
Several thought leaders have spoken against the Right To Be Forgotten. It has been labeled as ‘rewriting history’. Some see it as a censorious force that may reduce the quality and transparency of the Internet. While the debate still goes on, organizations need to comply to Article 17 of GDPR. Manual data deletion is laborious, difficult, and unreliable. Also, such methods don’t provide sufficient and valid proof of data deletion.
If organizations are not able to furnish such proof to individuals and authorities, their GDPR compliant status can come under question. Not to mention, there is also a chance for heavy monetary penalties. In such situations, data erasure software solutions are indispensable. Purpose-built data erasure software like BitRaser can help you wipe user-data permanently, while producing evidence of deletion in form of erasure report and certificate. Data Erasure Certificate serves as verifiable audit trails. These can be used to prove compliance with GDPR as well as other international data privacy legislations. For example, BitRaser drive eraser uses 24 internationally recognized algorithms for data erasure. This renders the data 100% safe from the scope of recovery.
Trust the best data sanitization software to stay compliant with Article 17 of GDPR and several other data security and privacy legislation.