22# Data Subject Rights – The right to erasure

Happy new year! This is the first post of our GDPR Requirements series in 2023, and to start the year right, we’ll begin with discussing the right to erasure – also known as “the right to be forgotten”.

This is not an absolute right and only applies in seven specific cases. You, as the controller, only have to comply with an erasure request when:

1. The personal data is no longer necessary for the purpose you originally collected or processed it for;
2. You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
3. You are relying on legitimate interests as your lawful basis for processing, and the individual objects to the processing of their data, and there is no overriding legitimate interest to continue processing;
4. You are processing the personal data for direct marketing purposes and the individual objects to this;
5. You have processed the personal data unlawfully in breach of the lawfulness principle;
6. You have to erase the data to comply with a legal obligation;
7. You have processed the data to offer information society services to a child.

However, even if one of these scenarios applies, there are still exceptions which make the right to erasure inapplicable. That is the case if the processing is necessary:

• For exercising the right of freedom, expression and information
• For complying with a legal obligation
• For performing a task carried out in the public interest or for the exercise of official authority vested in the controller
• For reasons of public interest of public health, for example, preventative medicine, medical diagnosis, health or social care and management of health or social care systems or services. However, this only applies where the personal data is being processed by or under the responsibility of a health professional who is subject to a legal obligation of professional secrecy, or for reasons of public interest in the area of public health
• For archiving purposes in the public interest, for scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
• For the establishment, exercise or defence of legal claims

What does the GDPR mean by “necessary processing”? It means that there are no other less intrusive ways to fulfil the purposes of the processing.

Your decision to either delete the data or to refuse to act on the deletion request has to be explainable and justifiable. You should also inform the data subjects about their right to lodge a complaint to their relevant supervisory authority and their ability to seek to enforce their rights through a judicial remedy.

There are also two specific circumstances according to the GDPR where you should tell other organisations about the erasure, rectification or restriction of processing of personal data. The first one is if you have disclosed the data to other recipients. If you have disclosed the personal data to other recipients, you must contact and inform them of any request for rectification, erasure or restriction of processing of the personal data. The objective of this rule is to facilitate the exercise of the data subjects’ rights by removing the need for further communication with the relevant recipients to, for example, erase or restrict the processing of data. However, there are two exceptions to the obligation to notify other recipients about the request, namely if it proves impossible or involves a disproportionate effort for you to contact the recipients.

• ‘Impossibility’ refers to that there is at least one factor that absolutely prevents you from contacting the recipients. For example, this might be the case if the recipient is not reachable or no longer exists and has no legal successor. Generally, there is no degree of impossibility, it is either impossible or not.
• Relying on ‘disproportionate effort’ implies weighing the interest between you, the controller, and the impact and effect on the data subjects – the individual’s interest regarding their privacy, and the controller’s burdens and efforts, financial and time investments. Remember that this should be a case-by-case assessment.

In addition to the above, if you are asked to, you must also inform the data subject about those recipients to whom their personal data have been disclosed.

The second circumstance in question is if the personal data has been made public online, such as on social networks or websites, then you need to take reasonable measures to inform other relevant controllers. When you assess the reasonability, you may consider the available technology and the means available to you as a controller.

When responding to a ‘right to erasure’ request, DPOrganizer’s tool makes it easy by having your processing operations mapped, which would be a time-saver in identifying what data are processed, where, and how. You can also create a case and have a case log readily available for responding to the request. Don’t hesitate to contact our Professional Service team (albin.thelin@nulldporganizer.com) or the privacy community Watercooler if you have any questions about responding to data subject requests – or anything else for that matter! If you’d like to read up a bit more about the right to erasure, please have a look at the EU Guidelines and the ICO Guidelines.

We hope you continue to enjoy our series on the GDPR in 2023, as we look forward to teaching our readers more about the GDPR and compliance. Next Tuesday, we’re taking a closer look at the right to restrict processing.