What is the right to erasure?
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which the business originally collected or processed it for;
- the business are relying on consent as their lawful basis for holding the data, and the individual withdraws their consent;
- the business is relying on legitimate interests as their basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- the business are processing the personal data for direct marketing purposes and the individual objects to that processing;
- the business have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- the business have to do it to comply with a legal obligation; or
- the business has processed the personal data to offer information society services to a child.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
Contact details to exercise your right to erasure
M-Tech Systems, Martello House, Edward Road, East Sussex, BN23 8AS
Updates to this page
The information on this page is correct to 28th January 2019.