How is the right to be forgotten implemented under the GDPR?

Right to be forgotten (Article 17 GDPR):

The right to be forgotten, also known as the right to erasure, is one of the core rights of data subjects under the General Data Protection Regulation (GDPR). It allows data subjects to request the erasure of their personal data if certain conditions are met. This right is designed to ensure that personal data is not stored for longer than necessary and that data subjects have more control over their data. Here are the key aspects and requirements of the right to be forgotten explained in detail:

Conditions for the right to be forgotten:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies:

1. Purpose achievement: The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
2. Withdrawal of consent: The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2), and where there is no other legal ground for the processing.
3. Objection: The data subject objects to processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to processing pursuant to Article 21(2).
4. Unlawful processing: The personal data have been processed unlawfully.
5. Compliance with a legal obligation: The erasure of personal data is necessary to fulfill a legal obligation under Union or Member State law to which the controller is subject.
6. Information society services: The personal data were collected in relation to the offer of information society services pursuant to Article 8(1).

Exceptions to the right to be forgotten:

The right to be forgotten does not apply to the extent that processing is necessary:

1. Exercise of the right to freedom of expression and information: Processing is necessary for the exercise of the right to freedom of expression and information.
2. Compliance with a legal obligation: Processing is necessary for compliance with a legal obligation required by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
3. Public interest in the area of ​​public health: Processing is necessary for reasons of public interest in the area of ​​public health pursuant to points (h) and (i) of Article 9(2) and Article 9(3).
4. Archiving purposes, scientific or historical research purposes, statistical purposes: Processing is necessary for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, where the right to erasure is likely to make the achievement of the objectives of that processing impossible or seriously compromises it.
5. Assertion, exercise or defense of legal claims: Processing is necessary to assert, exercise or defend legal claims.

Relevant articles of the GDPR:

• Article 17: Right to erasure (right to be forgotten)
• Article 21: Right to object
• Recital 65: Right to be forgotten and obligation to erase
• Recital 66: Obligation to erase data and to inform third parties

Process of implementing the right to be forgotten:

1. Request by the data subject: The data subject must submit a request to the controller to delete his or her personal data. This request can be made in writing, electronically or orally and should contain specific information about the data to be deleted.
2. Examination of the request: The controller must examine the request and determine whether one of the above-mentioned reasons for erasure applies, taking into account possible exceptions.
3. Deletion of data: If the request is justified, the controller must delete the personal data in question immediately. This also includes the deletion of data from backup systems and other storage media.
4. Notification of third parties: If the personal data have been made public or disclosed to third parties, the controller must take reasonable steps to inform those third parties of the erasure request and request that they also delete any links to or copies of those data.
5. Information of the data subject: The controller must inform the data subject of the measures taken and inform him or her that the data has been erased or why the request has been rejected.

Documentation and proof:

The controller must document the requests for erasure and the measures taken in order to demonstrate compliance with the GDPR to the supervisory authorities. This documentation should include:

• Copy of the data subject’s request: The original request for erasure.
• Decision-making process: A description of the review of the application and the reasons for the decision.
• Measures taken: Details of the measures taken to delete the data and, where applicable, to notify third parties.
• Correspondence with the data subject: written exchanges or other evidence of communication between the controller and the data subject.

Summary:

The right to be forgotten allows data subjects to request the erasure of their personal data when certain conditions are met. Companies must ensure that they properly assess and implement erasure requests to meet the requirements of the GDPR and protect the rights of data subjects. Compliance with these requirements requires careful processes and clear communication to ensure that personal data is not retained for longer than necessary and that data subjects retain control over their data.