The GDPR legislation gives individuals the right to request their personal data is deleted or removed from an organisations records if they have no good reason to continue processing it. This right is known as the right to be forgotten.
When can this right be applied?
• If the individual withdraws their consent (where you’ve relied on consent as the lawful basis for processing)
• If the individual objects to the processing (and there’s no legitimate interest for your business to continue the processing that overrides their objection)
• If the data was process unlawfully
• If the data was processed to offer online services to a child
• If the data needs to be deleted for legal reasons
• If the data is no longer needed for the reason it was originally collected
When can’t it be applied?
• If your business needs the data to comply with a legal obligation within the public interest or as a request of an official authority
• If the data is needed for achieving purposes in the public interest, historical research, statistical purposes, or scientific research
• If the data is being used for the application or defence of legal claims
• If processing the data is an example of the right of freedom of expression or information
If you do accept the request and erase the data, you must inform any third parties that you disclosed the information to (if it’s possible to do so). And any organisations that process the data should be advised by you to also erase links to or copies of the personal data.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way