How To Ensure Your Data is Erased
The GDPR assigns and enforces a significant range of rights and responsibilities related to the processing, storage, and collection of personal data. Here’s how to enforce your right to erasure:
Right to erasure
Also known as the right to be forgotten, your right to erasure, under the GDPR is outlined within Article 17. Of course, the GDPR outlines rights and responsibilities for both data subjects, and data controllers.
Data subjects and data controllers
Two quick reminders: a data subject is you, and as a data subject your rights are intrinsically linked to the regulations related to identifying your personal data, and the grounds identified for the processing of it. And, similarly, a data controller is the organisation or company you’ve shared your personal data with. The data controller is given several responsibilities around the collection, storage, and processing of your personal data. They’re also the first point of contact when you want to invoke your right to erasure.
Your rights under Article 17
Article 17 of the GDPR lays out your right to erasure quite simply and asserts your right to request the deletion of your data. The data controller is compelled to act on your request quickly; there’s usually an applicable time period of one month, circumstances permitting. Be aware, however, that you can only request the erasure of your personal data under specific circumstances.
- When your personal data is no longer required, for the purposes it was collected for.
- When you have not given explicit consent, when required, for your personal data to be collected, stored, or processed.
- When there are no overriding legal grounds for keeping your personal data.
- If your personal data was collected and processed illegally and/or without your consent.
- It is a legal requirement, in terms of a court order, legal process, or other legislation, to erase your personal data.
- Under certain circumstances, if personal data was collected when you were a child; this can be deleted at any time.
Your responsibilities under Article 17
Sure, the data controllers have several responsibilities assigned to them under Article 17 of the GDPR, but you – as a data subject – do too. And that responsibility rests on understanding when you can’t ask for your personal data to be erased. These are some of the circumstances under which your request for your personal data to be deleted may not be granted:
- Your requests are excessive.
- Your personal data needs to be kept by the data controller, in the interests of freedom of expression and information.
- It is not legally permissible to delete your data.
- It remains in the public interest to not delete your personal data.
- It’s required for the purposes of archiving, scientific research, or statistical information.
- It’s required to be kept, in the interests of public health, or for diagnostic purposes.
- Your request is manifestly unfounded. This covers your data controller, where a person – or data subject – may request the erasure of their personal data, but then expect some sort of compensation or benefit for not following through with it.
- Your request is malicious. If the intention behind erasing your personal data appears to be an attempt to disrupt the business or another sector of society, or you’re trying to target the organisation and its team in any way, this definition may apply.
As a communications consultant and freelance writer, Cath has helped more than 100 brands, businesses, and people, find the right words to tell their important stories. Cath points her cursor and bashes her keyboard to create useful, reliable content for people who want to learn more about blockchain technologies, finance, property, online safety & information security.