Understanding GDPR Article 17: The Right to Erasure Explained
Article 17 deals with one of the most important aspects of EU and UK GDPR law – a data subjects ‘right to be forgotten’, also written as the ‘right to erasure.
Article 17 lists several reasons as to why a data subject may wish to be forgotten, along with an organisation’s obligation to inform other controllers that may also be processing a subjects data in accordance with their own operation.
GDPR Article 17 Legal Text
EU GDPR Version
Article 17 – Right to erasure (‘right to be forgotten’)
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
UK GDPR Version
Article 17 – Right to erasure (‘right to be forgotten’)
- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation under domestic law, to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing under domestic law or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Technical Commentary
Data subjects are not able to exercise a blanket right to have their data erased. Requests must be in accordance with one of the below legal criteria:
- the data is no longer necessary for the initial purposes;
- withdrawal of consent (where the whole basis for processing is based on consent);
- an objection to processing, or the absence of any legitimate grounds for collection and/or processing;
- unlawful/illegal processing;
- compliance with another legal obligation;
- child protection-related purposes.
If an organisation has made personal data public, for any reason, they should take ‘reasonable steps’ to inform any other controllers – including employees – and third parties of the need to erase data, as requested by the data subject.
ISO 27701 Clause 7.2.2 and EU GDPR Article 17
In this section we talk about GDPR Articles 17 (3)(a), 17 (3)(b), 17 (3)(c), 17 (3)(d) and 17 (3)(e)
Identifying a Lawful Basis
To form a documented legal basis for processing PII in the first instance, organisations should:
- seek consent;
- initiate a contract;
- comply with any other legal obligations;
- protect the ‘vital interests’ of the PII principals in question;
- only carry out tasks that are in the public interest;
- ensure that processing activities constitute a legitimate interest.
Organisations should also consider any ‘special categories’ of PII that relate to a data classification scheme (see ISO 27701 Clause 7.2.8).
Supporting ISO 27701 Clauses
- ISO 27701 7.2.8
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 7.3.5 and EU GDPR Article 17
In this section we talk about GDPR Articles 17 (1)(a), 17 (1)(b), 17 (1)(c), 17 (1)(d), 17 (1)(e), 17 (1)(f), 17 (2)
Providing Mechanisms to Object to PII Processing
Laws vary from region to region, but jurisdictions often provide individuals with the right to raise an objection relating to how their data is being collected, processed and shared.
In accordance with this, organisations should:
- record any legal or regulatory requirements that deal with specific objections;
- provide individuals with clear, concise and easily-understood directions on how to object to their data being collected, processed or shared.
ISO 27701 Clause 8.3.1 and EU GDPR Article 17 (2)
Obligations to PII Principals
Organisations need to ensure that customers are are given the appropriate means to fulfil their (i.e. the organisation) obligations as a PII controller, across three key operational areas:
- legislative;
- regulatory;
- contractual.
Index of Linked EU GDPR Articles and ISO 27701 Clauses
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 17 (3)(a) to 17 (3)(e) | ISO 27701 7.2.2 | ISO 27701 7.2.8 |
| EU GDPR Articles 17 (1)(a) to 17 (2) | ISO 27701 7.3.5 | None |
| EU GDPR Article 17 (2) | ISO 27701 8.3.1 | None |
How ISMS.online Helps
GDPR is generally regarded as the toughest privacy and security regulation in the world, with breaches resulting in significant fines. It can be ambiguous and open to interpretation, suggesting that organisations must provide a ‘reasonable’ level of protection for personal data.
But here’s the good news. ISMS.online makes it easy for you to jump straight into your journey to GDPR compliance and to easily demonstrate level of protection that goes beyond ‘reasonable’, all in one secure, always-on location.
The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced. You will also benefit from a range of powerful time-saving features.
Find out more by booking a short demo today.
