GDPR: Right to Be Forgotten

The internet age ushered in an entirely new frontier for what identity protection means. While creating a formal system of laws protecting online identity took time, the EU’s General Data Protection Regulations was a massive step towards defending consumer privacy. There are formal laws guaranteeing internet users certain rights; our mission is to help you understand them and further protect yourself while online. Below, we’ll discuss the GDPR right to be forgotten. We’ll explain what it is, how it helps protect you, and in what cases it doesn’t apply.

For more information on consumer privacy, feel free to check out our additional reads on the GDPR’s definition of sensitive personal information as opposed to the GDPR’s definition of personal information. Lastly, we have a great article explaining how to disable cookies on your computer.

GDPR and the Right to Be Forgotten

In the GDPR, details regarding the legal obligation to the right to be forgotten (also known as the “right to erasure”) appear in Article 17. Article 17 states:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without undue delay where one of the following grounds applies:”

So what does this mean? First, the right to request for erasure allows users a level of protection to request that their data no longer be kept by the organization that collected it.

Article 17 also lists a handful of circumstances under which the right to be forgotten applies. These circumstances include:

• When a user’s data is no longer needed for the reason for which it was collected, even if they established an additional legal basis (Article 17)
• If a user decides to withdraw their data and the company has no other legal basis for processing it (Article 1 17)
• If a company unlawfully processes a user’s data (Article 17)
• If a user does not want their data used for direct marketing (Article 17)

There are also questions surrounding the language of “undue delay” and its meaning. In essence, undue delay guarantees a quick decision upon requesting that a company delete its data. Usually, this takes about a month, but there’s no set period of time.

Cases Where the Right to Erasure Doesn’t Apply

It’s important to remember that there are also cases where the GDPR doesn’t apply. It’s hard to give clear lines, but as long as the request doesn’t fall within the parameters listed above, a user may not be able to get their data removed.