Article 17 of the GDPR introduced a right for individuals to have their personal data erased, also known as the “right to be forgotten”.
Individuals can make a request for erasure verbally or in writing. A response must be given to a request without undue delay and in any event within one month.
The right is not absolute and only applies where there is one of the following grounds:
- The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- Consent was the sole legal ground for holding the data, but consent is withdrawn;
- The data controller relies on legitimate interests as the basis for processing, the individual objects to the processing, and there is no overriding legitimate interest to continue the processing;
- The data controller is processing the personal data for direct marketing purposes and the individual objects to that processing;
- The personal data has been unlawfully processed;
- The personal data has to be erased for compliance with a legal obligation;
- The personal data has been processed to offer information society services to a child.
Requests for erasure of information where a child previously gave consent should be given particular weight when deciding whether to erase the data, even if the child has become an adult by the time the request to be forgotten is made. This is because when they were a child they may not have been fully aware of the risks involved in the processing at the time they gave consent.
It is important to realise that there are also occasions when those holding data on others will be required to inform other organisations about the erasure of personal data. This can apply, for instance, where personal data has been made public in an online environment, such as on social networks, forums, or websites. Reasonable steps may have to be made to inform other controllers that are processing the personal data that they should erase links to, copies, or replication of that data.
It is also likely that if a valid request for erasure is received that backup systems will need to be wiped, as well as any live systems.
There are legally justifiable reasons why in some circumstances an organisation can refuse to comply with a request however, either wholly or partly.
At Stewarts we assist individuals with making “right to be forgotten” requests, we advise organisations on whether they can refuse to comply with requests, and we deal with disputes over whether there has been proper compliance with a request, including regulatory complaints or litigation over requests if necessary.
Cybersecurity and Data
Media and Communications
"They work hand in glove with you and can compete with the big firms"Chambers
"Stewarts has a go-to commercial litigation practice with strength in a number of fields"The Legal 500
"We find them excellent in terms of their tactical and strategic approach to running the case"Chambers
Meet our Media Disputes team
Our team are experts in the media sector.
We deal with matters in the UK courts and in foreign jurisdictions, as well as in relation to complaints made to UK regulators.