One of the most remarkable (and, from a certain point of view, revolutionary) innovations introduced by the GDPR is the right to be forgotten. In the digital age, in which everyone seems to have the goal of being remembered, GDPR’s right to be forgotten reminds people that, just as they can give consent on the processing of their personal data in order to receive services or products, they also still have the right to have the same erased. People have always had the right to withdraw consent, but since May 25, 2018, GDPR has established and regulated this right.
Right to erasure: What does it consist of?
As the GDPR claims in article 17 and in recitals 65 and 66, “the data subject will have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.” As a consequence, the controller is responsible for the erasure of personal data in 6 specific cases:
- When the personal data are no longer necessary for the purposes of processing.
- The data subject withdraws consent (according to article 6, paragraph 1, point a, and article 9, paragraph 2, point a) and there are no other legal grounds for the processing.
- The data subject exercises the right to object according to article 21, paragraphs 1 and 2.
- The personal data of the data subject have been unlawfully processed.
- There is a legal obligation in Union or Member State law according to which erasure of personal data is necessary in order for processing to be compliant with this law.
- The personal data have been collected in relation to the offer of information society services directly to a child (article 8, paragraph 1).
If one or more of these circumstances occur, the controller must erase the personal data of the data subject. In addition to this, if the personal data have been publicly disclosed, the controller must take reasonable measures, including technical and technological ones, to inform any other processor involved in the processing that the data subject has exercised the right to have his or her personal data, as well as any link or copies or copies of these data, erased. The right to be forgotten is reinforced, in the notification obligation of article 19, according to which the controller has to inform every recipient to whom the personal data have been disclosed about any rectification or erasure requested.
Learn more about consent and data processing in the article Is Consent needed? Six Legal Basis to Process Data According to GDPR.
Cases in which article 17 will not apply
Article 17 is not always guaranteed. GDPR lists cases in which it could not be applied, and where processing is necessary:
- For the right of freedom of information to be guaranteed and exercised
- For the compliance with a legal obligation or for a task of public interest
- Where there are reasons of public interest in the area of public health
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes
Reasons why article 17 could be considered revolutionary: The case of Google Spain
The right to be forgotten is the natural consequence of what happened with the case of Google Spain and Google Inc. vs Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)) and Mario Costeja González, in 2014. Mr Costeja González lodged a complaint with the AEPD against a La Vanguardia Ediciones SL, which publishes a daily newspaper with a large circulation and Google Spain and Google Inc. The complaint was based on the fact that personal data relating to Costeja González appeared in two web links of La Vanguardia’s newspaper when his name was entered in Google’s search engine. These links were regarding a real-estate auction connected with attachment proceedings.
The AEPD rejected the complaint against the publishing house, claiming that the publication of that kind of information was legally justified in order to give maximum publicity. On the other hand, the complaint was upheld and directed against Google Spain and Google Inc., both considered to be subject to data protection legislation.
At the end of a complex hearing, the Court ruled that the search engine could be considered as performing personal data processing (hence, it was considered a controller), and that a data subject could exercise the right to have the links including personal data removed (even if these personal data could remain included in the linked pages. In the opinion of many professionals, this represented a limitation to the real impact this case has for the future developments of data protection principles).
GDPR has made a step forward
In recognizing a right to be forgotten, the GDPR has taken a step forward: everyone will have the right to have his or her personal data erased, and within a time frame which is clear for both of the parties. Additionally, everyone will have the right to know any controller involved in the processing of his or her personal data. Last, but not least, everyone will have the right to have his or her personal data erased, even by potential recipients to whom his or her data have been disclosed.
No doubt this means a new and different way to consider privacy: as a right (“I can say yes or no and, if I can’t say no, I can know why”). It also means that privacy is due to everyone (“I give consent on my personal data to be processed because I have been informed and I am aware of anything which could apply to the processing of my data”).
Learn more about right to be forgotten and other important GDPR articles in this free online training GDPR Foundations Course.