The Blog

What is the “right to be forgotten”?

Nov 14, 2022 | Uncategorised

“The right to be forgotten”, officially known as “the Right to Erasure”, is part of the GDPR – the EU’s data protection law. GDPR was implemented in the UK under the Data Protection Act 2018 and, at the time of writing, still applies.

It’s built on the belief that any individual has the right to have their personal data erased from organisations’ databases. In this way, it increases the level of control that individuals previously had.

Erasure here means that the data is removed and no longer distributed by the data controller. It aims, where possible, to stop third parties from having the ability to process this data.

The right isn’t absolute and the request has to meet certain criteria. However, the individual no longer has to prove that their data being held is causing them damage or distress, as was the case before GDPR. The new criteria are:

  • The original purpose for which the organisation held your data no longer applies. This would be the case if, for example, you cancelled a magazine subscription – the magazine company no longer needs your name, address or other personal details.
  • You withdraw your consent. Let’s say you took part in market research and supplied the organisation with your personal details. Once you’ve withdrawn your consent, they have to erase your data.
  • You object to the way your data is being used. In this case, however, your interests have to be seen as more important than those of the organisation.
  • You don’t want your data to be used for direct marketing.
  • Your data was collected and/or has been used in a way that doesn’t comply with GDPR.
  • You provided the data as a child – on social media, for instance, or a gaming app.

Why would you want to be forgotten?

The reasons for wanting to exercise this right vary. Sometimes, it comes from a distrust of organisations and a fear that data will be sold to third parties. At other times, it’s because people have painful or embarrassing data about themselves available at the click of a button and they don’t want it to be available to colleagues, employers and peers.

One specific example is the case of Hurbain v. Belgium. This revolved around a request by an individual known as “G” to the Belgian newspaper Le Soir. This publication had in its searchable digital archive an article that named G in relation to a conviction.

He argued that, as his conviction was spent, his name should be made anonymous in the article. The editor of Le Soir, Mr Hurbain, argued that this violated his freedom of expression – but the courts sided with G. Consequently, G’s criminal conviction isn’t searchable online.

Another example is provided by Google, which is required by EU law to remove links from search results in Europe when it receives an appropriate request – but not from the rest of the world.

How do I exercise the right to be forgotten?

The best way to start the process is to contact the organisation and make the request directly. This could be verbally or in writing, but it’s sensible to follow up in writing anyway so you have a record.

What is the organisation obliged to do in response?

In most circumstances, the organisation is required to delete your data. They’re expected to make this process painless. And unless it’s impossible or nigh-on impossible, they should tell any third parties they have shared your data with that you wish for it to be deleted.

We say “in most circumstances” because occasionally the organisation can say no. This is why we said the right isn’t absolute.

Organisations can refuse to delete your data if:

  • Holding your data is necessary for artistic, academic, journalistic or literary purposes.
  • The request clashes with other obligations – if, say, the organisation needs your data in order to comply with financial regulations. The ICO (the UK’s regulatory body for GDPR) gives the example of an organisation keeping an ex-employee’s data so that it can disclose employee salaries to HMRC.
  • The request is needed for a task that’s judged to be in the public interest.
  • The request would obstruct legal processes.
  • The data is needed for public health purposes or for the provision of health or social systems.
  • The request would have an adverse effect on scientific or historical research.
  • The request is “manifestly unfounded or excessive” – if, for instance, it appears to be a form of harassment against an organisation.

If the organisation argues on one or more of these grounds, it can refuse to act on your request – or ask for an administrative fee. Otherwise, it has to delete your data without payment.

Whatever happens, organisations are legally obliged to keep you in the loop and justify their decisions.

How long should it take?

According to the ICO, organisations have one calendar month to respond to a request. This response could either be a confirmation that the data has been erased or a refusal.

This period can be extended by a further two months if the request is complex or if the individual has sent multiple requests. The organisation is obliged to tell you if this is happening and to explain why.

Organisations can ask for ID if they’re unsure who is making the request – but as with the time limit extension, they have to keep the individual informed and up to speed.

What if you’re dissatisfied with an organisation’s response?

If an organisation refuses to delete your data or asks for a fee, your first port of call is to raise a complaint with them directly. If you remain dissatisfied, you can make a complaint to the ICO.

In the worst-case scenario, you can pursue your request through the courts.

At Milners, we pride ourselves on being knowledgeable, no-nonsense and approachable. If you’re looking for help with company and commercial law, please contact us for a free, no-obligation consultation.


Latest From The Blog

5 Star Rated

Client testimonials

Get your FREE no-obligation consultation

We'll discuss your problem in detail and lay out expected costs so you'll know where you stand from day one. Your first consultation is completely free and comes with no strings attached.

Completely FREE
No Obligation
Friendly & Welcoming