The right to be forgotten derives from the case Google Spain SL in 2014. For the first time, the right to be forgotten is codified and to be found in the General Data Protection Regulation (GDPR) in addition to the right to erasure.
The article 17 of the GDPR is the following: “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”
The data subject has the right to have their personal data erased. However, this right is not absolute and only applies in certain circumstances. It is imperative for an organization processing personal data that it is prepared for the eventuality that the data subject invokes this right. The data controller is obliged to react to such requests within 30 days. According to the GDPR, the controller must facilitate the exercising of this right and to offer the means to do so free of charge.
The obligation and the relatively short response time means that the organization must have strong working processes to receive a request, check whether there are reasons to continue processing the data, delete the data if applicable and inform the data subject about the action taken and any reasons to keep (a part of) the data.