Your Right to Erasure

How To Ensure Your Data is Erased

The GDPR assigns and enforces a significant range of rights and responsibilities related to the processing, storage, and collection of personal data. Here’s how to enforce your right to erasure:

Right to erasure

Also known as the right to be forgotten, your right to erasure, under the GDPR is outlined within Article 17. Of course, the GDPR outlines rights and responsibilities for both data subjects, and data controllers.

Data subjects and data controllers

Two quick reminders: a data subject is you, and as a data subject your rights are intrinsically linked to the regulations related to identifying your personal data, and the grounds identified for the processing of it. And, similarly, a data controller is the organisation or company you’ve shared your personal data with. The data controller is given several responsibilities around the collection, storage, and processing of your personal data. They’re also the first point of contact when you want to invoke your right to erasure.

Your rights under Article 17

Article 17 of the GDPR lays out your right to erasure quite simply and asserts your right to request the deletion of your data. The data controller is compelled to act on your request quickly; there’s usually an applicable time period of one month, circumstances permitting. Be aware, however, that you can only request the erasure of your personal data under specific circumstances.

These include:

• When your personal data is no longer required, for the purposes it was collected for. 
• When you have not given explicit consent, when required, for your personal data to be collected, stored, or processed. 
• When there are no overriding legal grounds for keeping your personal data. 
• If your personal data was collected and processed illegally and/or without your consent. 
• It is a legal requirement, in terms of a court order, legal process, or other legislation, to erase your personal data.
• Under certain circumstances, if personal data was collected when you were a child; this can be deleted at any time.  

Your responsibilities under Article 17

Sure, the data controllers have several responsibilities assigned to them under Article 17 of the GDPR, but you – as a data subject – do too. And that responsibility rests on understanding when you can’t ask for your personal data to be erased. These are some of the circumstances under which your request for your personal data to be deleted may not be granted:

• Your requests are excessive. 
• Your personal data needs to be kept by the data controller, in the interests of freedom of expression and information.
• It is not legally permissible to delete your data. 
• It remains in the public interest to not delete your personal data.
• It’s required for the purposes of archiving, scientific research, or statistical information. 
• It’s required to be kept, in the interests of public health, or for diagnostic purposes.
• Your request is manifestly unfounded. This covers your data controller, where a person – or data subject – may request the erasure of their personal data, but then expect some sort of compensation or benefit for not following through with it.
• Your request is malicious. If the intention behind erasing your personal data appears to be an attempt to disrupt the business or another sector of society, or you’re trying to target the organisation and its team in any way, this definition may apply.