The right to be forgotten is an individual’s (data subject’s) right to demand companies to erase or anonymise their personal data (this is called “right to be forgotten” or “right for erasure” in GDPR terms).
According to GDPR, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. “Undue delay” should be understood as the latest within one month of receipt of the request for erasure or receiving identity verification or a fee, if such can be applied.
The data subject has the right to have their personal data erased (right to be forgotten) if:
- Personal data is no longer necessary for the original purpose of collection or processing.
- The company is relying on a data subject’s consent as the legal basis for processing the data and that individual withdraws their consent.
- The company is relying on legitimate interest as its legal basis, the data subject objects to this processing, and there is no overriding legitimate interest for the organisation to continue with the processing.
- The company is processing personal data for direct marketing purposes and the data subject objects to this processing.
- The company processed a data subject’s personal data unlawfully.
- The company must erase personal data in order to comply with a lawful obligation.
However, a right to process someone’s data might override their right to be forgotten in the following situations:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a lawful obligation.
- The data is being used to perform a task that is being carried out in vital or public interest.
- The data is being used for the establishment of legal defence or in the exercise of other legal claims.