The right to erasure, or the right to be forgotten, is a new right for individuals under the new GDPR. The principle of this new right is that when no compelling reason can be found for their data to be processed, the data subject can:
- Request their personal data to be removed/erased
- Stop further sharing of their personal data, and
- Potentially stop third parties from processing their personal data.
It’s important to remember that the right to erasure isn’t always applicable, as organisations only need to comply under certain circumstances.
The ICO state that:
Individuals have the right to have their personal data erased if:
- The personal data is no longer necessary for the purpose which you originally collected or processed it for;
- You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- You are processing the personal data for direct marketing purposes and the individual objects to that processing;
- You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- You have to do it to comply with a legal obligation; or
- You have processed the personal data to offer information society services to a child
Back to glossary