The right to be forgotten: what is it and how does it work?
In a hyper-connected digital society, where sharing information is increasingly easier, faster, and even necessary, the right to be forgotten is key to protect one’s privacy and preserve one’s online reputation on a long term.
This particular form of guarantee is regulated by the GDPR (General Data Protection Regulation), effectively operational since May 2018, which introduced specific guidelines for the protection of personal data and respect for privacy.
The right to erasure allows individuals to reques tauthorities the removal of their personal data from search engines and other websites by contacting directly the site manager or the company that legally holds the data.
As indicated in GDPR’s Article 17, this is a reinforced form of the right to the cancellation of personal data. Indeed, the data controller, who has made public specific information related to the interested party by publishing them on a website, must inform of the data cancellation request also other owners who process the same data requested to be erased, including any link, copy or replication.
The data owner is the natural or legal person who decides data processing purposes and methods, while the data controller is the person who processes data and information on behalf of the owner. The data subject, instead, is the natural person, thus the interested party, to whom the personal data refer. Therefore, in the case of the right to be forgotten, the interested party can request the complete deletion of personal data from the owner or data controller.
According to GDPR’s Article 4, a general definition of personal data concerns “any information relating to an identified or identifiable natural person (‘data subject’), while an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Let’s think about a quick and simple example: if a user decides to delete a social media profile, but only later realizes that personal identifiable information, like a complete name or a profile photo, are still present online, standing by the right to be forgotten the user would have the right to request from the company who owns and manages the social network platform to erase that data from search engines permanently.
When can you exercise the right to be forgotten?
EU Regulation 2016/679 establishes that the interested party has the right to request and obtain from the data controller the total deletion of personal data.
This is possible if specific conditions clarified in Article 17 of the GDPR occur:
- personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the interested party revokes the consent to the processing of personal data and there is no other legal basis allowing the processing;
- the interested party disagrees with the processing and there is no overriding legitimate reason to proceed with that;
- personal data were processed unlawfully, with no consent or breaking legal terms;
- personal data must be erased complying with legal obligations under EU or Member State law to which the data controller is subject;
- personal data were collected for information purposes, in relation to the offer of information society services.
Hence, in short, personal data must be deleted if:
- they are no longer necessary for the purposes of the processing for which they were initially collected;
- the interested party revokes the authorization to the processing of the individual information;
- they have been processed disrespecting legal terms, specified by data processing contracts and obligations, especially according to EU or Member State law.
This translates into the commitment of data controller to delete personal data that were made public, taking into account the available technology todo it and its costs. Furthermore, the data controller must take reasonable measures to inform the responsible of the processing of the personal data about the explicit request of the interested party to remove any link, copy or reproduction of personal data and information.
What are the exceptions to the right to be forgotten?
The right to be forgotten cannot always be exercised successfully by the interested party. In fact, within particular situations, there are exceptions provided for by the GDPR.
So, the right to be forgotten can’t be applied if the processing of data is necessary:
- for the exercise of the right to freedom of expression and information;
- for the fulfillment of a legal obligation or task that requires data processing provided for by EU or Member State law to which the data controller is subject;
- for public interest purposes, especially for what concerns public health, scientific or historical research, or statistical purposes;
- for the verification, exercise or defense of a right in court.