- The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
- Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
- Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). Now the right to be forgotten is being codified General Data Protection Regulation in addition to the right of erasure.
The correspondingly-named standard primarily regulates erasure obligations. According to this, personal data must be erased immediately as long as the data are no longer needed for their original processing purpose, or the impacted person has withdrawn his consent and there is no other reason for justification, the impacted person has objected and there is no preferential justified reason for the processing, or erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States. In addition, data must of course be erased if the processing itself was against the law.
The responsible person is therefore subject on the one hand to automatic statutory erasure obligations, and must, on the other hand, comply with the impacted person’s desire to be erased. The law does not further describe how the data must be erased in individual cases. The decisive element is that the result is that it is no longer possible to see the data without disproportionate expense. One regards this effort as sufficient if the media has been physically destroyed, or the data is permanently over-written using special software.
In addition, the right to be forgotten is found in Art. 17 para. 2 of the GDPR. If the responsible party has published the personal data, and if one of the above reasons to erasure is present, he must take suitable measures with consideration of the circumstances to inform all those who are further responsible for the data processing that all links to this personal data or copies or replicates of the personal data must be erased.
An application of erasure is not subject to any particular form, and the responsible party need not link it to such a form. However, the identity of the impacted person must be proven in a suitable way, as otherwise additional information could be requested from the responsible party, or the erasure could be refused. If there is an application to erase or a statutory obligation to erase, this must be implemented quickly. This means that the responsible party only has a suitable time to check the conditions for erasure. In the case of an application for erasure, the impacted party must be informed within one month about the measures taken or the reasons for refusal. Once again, the right to be forgotten is reflected in the obligation to notify. In addition to erasure, according to Art. 19 of the GDPR the responsible entity must inform all receivers of the data. For this, he must use all means available and exhaust all appropriate measures.
If you want to make use of your right “to be forgotten“, please fill in the form:
“Make A Request” on this website.