Have you ever heard of the right to be forgotten? For European citizens, this right is protected by Article 17 GDPR (General Data Protection Regulation), or Regulation (EU) no. 2016/679. Let’s find out what it is.
The right to be forgotten
The Internet does not forget. Any online content that concerns us will remain more or less available forever. This can be a problem. Think, for example, of a person involved in a court case reported on TV or in the newspapers. Even if exonerated, that person would have to live forever with newspaper articles, videos, social posts, available to everyone on the web.
Although this is an extreme case, it explains the importance of the right to be forgotten, i.e. the right to erasure of personal data.
This right is the consequence of the principle that binds the processing of personal data to the consent of the interested party. When this consent is lacking, the data must be deleted. Therefore, the right to be forgotten is one of the many forms of the right to privacy, and it consists in asking for the cancellation of all those contents that can undermine a person’s reputation.
What does the Art. 17 GDPR say about the right to erasure
The Art.17 GDPR is all about the right to be forgotten (right to erasure, or right to oblivion).
Any person can exercise this right by asking the Data Controller – i.e. whoever process personal data – to delete all references to their data.
The Data Controller, when they receive such a request, must check whether there are legitimate reasons to deny it. If not, they must proceed with the cancellation “without undue delay“.
To exercise this right, it is not necessary to provide a justification: a simple request is enough.
However, Art. 17 GDPR clearly specifies the cases in which the erasure is mandatory:
- personal data are no longer necessary in relation to the purposes for which they were collected or processed;
- the data subject withdraws consent, and where there is no other legal ground for the processing;
- the data subject objects to the processing, and there are no overriding legitimate grounds for the processing or the data subject objects to the processing;
- personal data have been unlawfully processed;
- personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- data have been collected in relation to the offer of information society services.
The Data Controller must always follow the principle of minimization and delete the data as soon as the purpose for which they collected them ends, without the interested party asking for it.
As you can see, the EU Regulation provides for the right to delete data not only in relation to public news that can damage personal reputation. In fact, Art. 17 GDPR suggests its applicability also to data collected for marketing purposes. Again, the data subject can request cancellation at any time and without having to give any justification.
The right to be forgotten and other rights
The right to be forgotten is not an absolute right. It can be legitimately limited by other rights and freedoms. It means that an individual cannot request the cancellation if the data is necessary for the exercise of these rights.
According to Art.17 GDPR the right to be forgotten is not applicable in these case:
- exercising the right of freedom of expression and information;
- compliance with a legal obligation that requires processing by Union or Member State law, for the performance of a task carried out in the public interest, in the exercise of official authority vested in the controller;
- reasons of public interest in the area of public health;
- archiving specific purposes in the public interest, scientific or historical research purposes, or statistical purposes
- the establishment, exercise, or defense of legal claims.
For example, a journalist cannot be asked to delete an article in which he reported on a trial, because this would undermine the right of expression and information. Similarly, a person cannot request the erasure of data relating to a crime they have committed, because this would impede the right to judicial protection.
In other words, the right to be forgotten must be balanced with other fundamental rights.
In particular, it is often opposed to the usually prevalent right of information. In the case, the right to erasure is valid only when the news no longer has a public interest.
How to be GDPR compliant
The right to be forgotten is not easy to put into practice. Especially on social media, where users regularly post a large number of photos, videos, articles, and comments. It is up to each platform to establish specific procedures for the exercise of this right.
However, anyone who collects, processes, and stores personal data must be aware of the right to be forgotten and of Art.17 GDPR.
Knowledge is the first step in taking adequate measures. And in case of difficulty, it is always a good idea to contact professionals.
