GDPR Updates: Right to Erasure

In the week that Google loses a landmark case against a London businessman over his Right to Erasure, we take a look at what updates there are from the ICO in this particular section of the GDPR.

Google (none of) My Business

This week a UK citizen, who cannot be named, has exercised his right to have Google remove all online references to a spent criminal conviction from ten years ago. After the search engine giant refused to remove the data, he took them to court and won.

Google said in a statement:

“We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest.

“We are pleased that the Court recognised our efforts in this area, and we will respect the judgements they have made in this case.”

Although the Right to Be Forgotten is not new, the General Data Protection Regulation (GDPR) seeks to extend these rights for EU citizens, making it easier to be erased.

What is the Right to Erasure?

Article 17 of the GDPR states that individuals have the right to request that their personal data be removed permanently if:

  • the personal data is no longer required for the original purpose;
  • the data subject refuses or withdraws their consent (that that was the lawful basis you were relying on);
  • the data subject objects to their data being processed under legitimate interest, if you are relying on legitimate interest;
  • the data subjects to the type of marketing you are using their personal data for, like direct marketing for example;
  • you are in breach of the data processing principle;
  • you are required to by law; or
  • you are processing the personal data of a child in order to give information to social services.

You will need to inform other organisations about the erasure request if the personal data has already been shared with them or if the data has been made public online.

Can I refuse to erase the personal data?

You can refuse the right to erasure request if it is deemed unfounded or excessive. In which case you can request a ‘reasonable fee’, or simply refuse the request.

The Information Commissioner‘s Office (ICO) gives further examples of when the right to erasure does not comply:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation;
  • for the performance of a task carried out in the public interest or in the exercise of official authority;
  • for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
  • for the establishment, exercise or defence of legal claims.
  • if the processing is necessary for public health purposes in the public interest; or
  • if the processing is necessary for the purposes of preventative or occupational medicine.

Have you received a right to erasure request and wish that you had better documented the personal data you hold? ISMS.online has a tool for that.

manage and categorise the personal data you process and control

ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.

Not ready to get started? Subscribe to receive more articles like this.

The information in this blog is for general guidance and does not constitute legal advice.

Julia Heron is the ISMS Solutions Specialist for ISMS.online and is responsible for customer adoption and success.

ISMS Online Rating: 5 out of 5
Share This