How To Ensure Your Data is Erased

The GDPR assigns and enforces a significant range of rights and responsibilities related to the processing, storage, and collection of personal data. Here’s how to enforce your right to erasure:

Right to erasure

Also known as the right to be forgotten, your right to erasure, under the GDPR is outlined within Article 17. Of course, the GDPR outlines rights and responsibilities for both data subjects, and data controllers.

Data subjects and data controllers

Two quick reminders: a data subject is you, and as a data subject your rights are intrinsically linked to the regulations related to identifying your personal data, and the grounds identified for the processing of it. And, similarly, a data controller is the organisation or company you’ve shared your personal data with. The data controller is given several responsibilities around the collection, storage, and processing of your personal data. They’re also the first point of contact when you want to invoke your right to erasure.

Your rights under Article 17

Article 17 of the GDPR lays out your right to erasure quite simply and asserts your right to request the deletion of your data. The data controller is compelled to act on your request quickly; there’s usually an applicable time period of one month, circumstances permitting. Be aware, however, that you can only request the erasure of your personal data under specific circumstances.

These include:

  • When your personal data is no longer required, for the purposes it was collected for. 
  • When you have not given explicit consent, when required, for your personal data to be collected, stored, or processed. 
  • When there are no overriding legal grounds for keeping your personal data. 
  • If your personal data was collected and processed illegally and/or without your consent. 
  • It is a legal requirement, in terms of a court order, legal process, or other legislation, to erase your personal data.
  • Under certain circumstances, if personal data was collected when you were a child; this can be deleted at any time.  


Your responsibilities under Article 17

Sure, the data controllers have several responsibilities assigned to them under Article 17 of the GDPR, but you – as a data subject – do too. And that responsibility rests on understanding when you can’t ask for your personal data to be erased. These are some of the circumstances under which your request for your personal data to be deleted may not be granted:

  • Your requests are excessive. 
  • Your personal data needs to be kept by the data controller, in the interests of freedom of expression and information.
  • It is not legally permissible to delete your data. 
  • It remains in the public interest to not delete your personal data.
  • It’s required for the purposes of archiving, scientific research, or statistical information. 
  • It’s required to be kept, in the interests of public health, or for diagnostic purposes.
  • Your request is manifestly unfounded. This covers your data controller, where a person – or data subject – may request the erasure of their personal data, but then expect some sort of compensation or benefit for not following through with it.
  • Your request is malicious. If the intention behind erasing your personal data appears to be an attempt to disrupt the business or another sector of society, or you’re trying to target the organisation and its team in any way, this definition may apply. 
If you have a query related to the erasure of your personal data or need help with processing a request, get in touch with ProPrivacy, and we’ll guide you through the Data Protection Commission process and procedures. 

Philipa Jane Farley

Written By Philipa Jane Farley

Philipa is the lead consultant and auditor at ProPrivacy.  With clients as far afield as Canada, South Africa, Kenya, Germany, Spain and other such exotic locations, besides Cork and elsewhere in Ireland, Philipa enjoys a broad view of the state of data protection, privacy and cyber security worldwide.  Philipa’s passion is manageable data compliance for SMEs.

Philipa is a qualified teacher besides holding a computer science (Bachelor of Science in Artificial Intelligence Programming) and electronic and intellectual property law (LLB) qualified. She is trained in constitutional (fundamental) rights litigation and enjoys a good debate.

Philipa has over twenty years of experience working in different sized organisations and sectors on operational, governance, risk management and compliance matters. She is an analytical and focused person that enjoys a challenge in the workplace. She loves technology, systems and people and has a passion for showing people how technology can make life easier and better. She understands that the world is driven by data today but privacy is paramount. Responsibly developed AI excites Philipa for the future.

ProPrivacy | GDPR Privacy Cyber Security in Cork, Ireland