This article has been written by Mr. Sandeep Bhalothia is an Indian registered lawyer who is currently working in Dubai, U.A.E. and Miss. Vizita Singh is post-graduate in business and commerce and is currently pursuing her law degree from India.

The purpose of this practical guide is to help you in understanding the Data Erasure Request (also known as Right to be Forgotten) under GDPR and how to comply with such requests.

What is GDPR?

The term GDPR stands for the General Data Protection Regulation (2016/67)[1]. It is a European Union Regulation and came into force on 25^th May 2018.

The purpose of this regulation is to protect the personal data of the natural person and to regulate the free movement of the personal data within the EU[2].

A lot has already been written about the various aspects of GDPR in last one year; however, there is very little content on practical aspects of multiple requests that an organisation can receive under the GDPR. In this article, we aim to cover one such request; the Data Erasure Request.

But before that, one needs first to examine whether the GDPR applies to their organisation or not. The scope of the GDPR is divided into two components; Material Scope [3]and Territorial Scope[4], and both the scopes need to be covered for GDPR to apply to an organisation.

Scope of GDPR Application

As per the Material Scope, the GDPR only applies to those organisations which are involved in the processing of the personal data, whether through automated or non-automated means. It is important to note that GDPR defines ‘Processing’[5] and ‘Personal Data’[6], and therefore, organisations should not take their general understanding of these terms and must refer to exact definition provided under the regulation.

As per the Territorial Scope, the GDPR even applies to those organization which are not based in EU but process the personal data of the data subjects who are in EU where the processing of the data is related to offering of goods or services, or monitoring of behaviour of the data subjects, if the said behaviour takes place in the EU.

Therefore, GDPR has an extraterritorial scope of application. Please refer to Guidelines 3/2018 on the Territorial Scope of GDPR published by European Data Protection Board to have an in-depth understanding of its scope[7].

What is Data Erasure Request under GDPR?

The GDPR provides several rights to the data subjects and one of such right is the right to request for ‘data erasure’.

As per Article 17 of the GDPR, a data subject can request for the erasure of its personal data from the controller and controller must erase the said data without undue delay[8]. This provision of the GDPR gives full control to the data subject over its personal data. 

Furthermore, Recital 59 of the GDPR provides that a controller is required to provide the data subjects a mechanism to request, free of charge, erasure of the personal data. If further states that if the personal data is being processed by electronic means that the concerned data subjects should be provided with a mechanism to place the electronic request for the erasure of the personal data.

Special protection has been provided where the request to process the personal data was collected from a child, especially on the internet. Such data subject can exercise their right to data erasure even if he or she is no longer a child[9].

To further strengthen the right to be forgotten in the online environment, Recital 66 of the GDPR provides that if a controller has made personal data public, then such controllers are under obligation to inform all the other controllers who are processing the said personal data to erase any links, copies or replications of those personal data[10].

When can data erasure request be made?

The grounds under which a data subject can raise a request for Data Erasure are listed under Article 17 of the GDPR. These grounds are as follows;

1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
2. The data subject withdraws consent on which the processing is based according to the point and where there is no other legal ground for the processing. Article 7(3) of the GDPR provide that the data subject has the right to withdraw the consent given for data processing at any time.
3. The data subject objects to the processing under Article 21 of the GDPR (Right to Object).
4. Article 18(1)(b) of the GDPR (Right to Restriction of Processing) provides that a data subject obtains from the controller restriction of processing where the processing is unlawful and request for Data Erasure under such circumstances.
5. The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
6. The personal data have been collected concerning the offer of information society services referred to in Article 8(1) which provides for conditions applicable to child’s consent concerning information society services.

Who can raise a Data Erasure Request?

An individual whose personal data is being processed can either make a direct request for the data erasure or take help of a third party to raise such a request with the data controller. For example, the data subject can take the assistance of their lawyer to raise the Data Erasure Request with the controller.

When a request is received from a third party acting on behalf of a data subject, then the controller of the data shall make sure that the said third party has the authority to act on behalf of the concerned data subject, and it is the responsibility of the third party to provide necessary evidence to establish such authority.

How can a Data Subject make Data Erasure Request?

The GDPR is silent on the ‘form’ of the request. It does not provide how a request for data erasure can be raised. Therefore, a data subject can request Data Erasure either verbally or in writing. Also, the data subject is not bound to request the specific department of any organisation like Leal and Compliance Department or IT Department. The data subject can raise the request with any department, even with the department which might not be related to the handling of data like company’s in-house graphic designer.

 

Click Here

Therefore, it is important to train and educate all employees about GDPR as the request for data erasure can be made to any person of the organisation, in any form, and it could be made verbally. 

Can you refuse to abide by data Erasure Request?

Yes, the data erasure request under GDPR is not an absolute right. There are some limited grounds under the GDPR to refuse the compliance with data erasure request and the same are provided under Article 17(3) and Recital 65 of the GDPR. These both provisions provide that the further retention of the personal data shall be lawful if;

1. If it is for exercising the right to freedom of expression and information.
2. For compliance with a legal obligation.
3. For public interest in the area of public health 
4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
5. For raising, establishing or defending a legal claim.

However, in case if you refuse to comply with the Data Erasure request then the same must be promptly communicated to the concerned data subject or to the third party acting on behalf of the data subject along with other information like; the ground for not taking the action, their right to raise a complaint with the ICO or other concerned supervisory authority, and seek a judicial remedy.

What is the Time Period to Comply with Data Erasure Request?

Article 17 of the GDPR provides that a controller is required to erase the personal data of the data subject without ‘undue delay’. However, it does not provide a specific time period or any guidance as to what constitutes undue delay. The reasonable time required to comply with data erasure request can vary from case to case as it would depend on various factors like;

1. How extensive and broad the request is,
2. How easy it is to identify the personal data or separate the data of specific data subject from the rest of the data,
3. What was the scope of the consent obtained from the data subject for the processing of the personal data?
4. How many sub-controller or processors are processing that personal data?
5. Limitation of available technology and tools to identify and delete the requested personal data

However, once a request is received, the controller should not delay in responding to such requests. It is important that controller acknowledge the receipt of such request, preferably within one month[11] and give the reasons where it intends to not comply with such request.

Penalty for Failure to Comply with data Erasure Request:

Article 83 of the GDPR provides guidance on the penalties imposed for breach of an obligation under the GDPR. As per Article 83(5) of the GDPR, a data controller can be fined up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher for breach of data subject’s right to Data Erasure!

The above administrative fine will be imposed after keeping various factors in consideration like nature, gravity and duration of the infringement, the intentional or negligent character of the infringement, action taken by the controller or processor to mitigate the damage, degree of cooperation with the supervising authority etc[12].

Steps to Follow on Receipt of a Data Erasure Request:

1. Establish the identity of the data subject. This is an important step to ensure that that the person requesting for the data erasure is the same person whose data deletion has been requested and whether your organisation is bound under the scope of GDPR to comply with such request. Make sure that you collect only the required minimum information for establishing the identity of the person. Do not start accumulating more unnecessary personal data in the process. If the request is received by a third party, then make sure that you request that third party the necessary proof to establish that it has the authority to act on behalf of the actual data subject for this purpose.
2. Request the concerned data subject to provide you with the reason behind their request and check whether those grounds fall within the scope of Article 17(1) of the GDPR or not. Request them to provide any information, document or attachment to support their request.
3. Request the concerned data subject to describe the information that they wish to be erased. Request the data subject to provide any relevant details that they think will help you to identify the information. Ask if they can provide the URL for each link they want to be removed.
4. Check whether you are required to comply with the Data Erasure request or not. See if you can take the defence available under Article 17(3) and Recital 65 of the GDPR. If you have a valid ground to refuse to comply with the data Erasure request, then communicate the same to the concerned data subject with valid, specific reasons without undue delay.
5. If you don’t have a valid ground to refuse the Data Erasure request then inform all the concerned internal team of your organisation to mark the data subject’s personal data which could be on servers’, backups, emails, hard drives, stored on cloud platforms etc. Assess the implication of deletion of such data on the system. Does the deletion of such impact on the working of a software? Is it possible to delete that data from all backups? Is it possible to locate an individual strand of data from the cluster? All such questions and situations need to be examined before executing the deletion of data.
6. Immediately communicate with all third parties, processors, and sub-processors and make sure that they also delete the personal data shared with them of the effective compliance of the data erasure request.
7. Make sure you have the personal data requested for erasure before processing the data erasure request. In case you don’t have the data, then inform the said data subject that the data requested for erasure was not collected.
8. Maintain an internal log along with the actions taken for each request. Make sure to update the log simultaneously to avoid any mistake.
9. Start deleting the data and keep the concerned data subject updated as you move forward.

Practical Tips:

1. It is important that the organization which falls under the scope of GDPR is fully compliant with its requirements. To do so, it shall regularly audit its privacy policy, HR Policy, should educate, train and raise awareness about GDPR among its employee, take help of data privacy lawyers in drafting internal and external policy etc.
2. Have a detailed written process in place to handle a data erasure request.
3. Compliance with the Data Erasure Request must be taken as a priority without any undue delay.
4. Have a clear understanding of when you are not required to comply with the Data Erasure Request, as it is not an absolute right of a data subject. In case of doubt, always take the help of an expert to guide you through.
5. You can ask for a reasonable fee or deny a request if you can justify the request was unsubstantiated. 
6. Have a “Data Erasure Request Form.” A sample format of the same is available at – https://gdpr.eu/right-to-erasure-request-form/
7. Consider warning the data subject that any attempt to mislead the organisation with the said request can result in prosecution.
8. Make sure that your organizations’ technical team can easily and quickly locate the personal data so that all the data erasure request can be handled efficiently.
9. Always have a clear understanding of all processors and controllers involved in the processing of the personal data. This will help in efficient communication with such controller and processors on the receipt of a Data Erasure Request. This will also avoid any chance of missing a processor or controller when complying with a request. It is important that a request is holistically complied with.
10. For the compliance and internal audit requirements, it is important that every organization maintain a log for all data erasure requests received and actions taken.
11. Make sure that you collect only required data for running of the business or for compliance of data erasure request. Do not start accumulating more data of a data subject while complying with a request like asking for unnecessary personal information to establish the identity of the request raiser.
12. Collect minimum data and ensure minimum diffusion of the same to avoid suffering while complying with data erasure requests.
13. Regularly audit the organizations contracts, websites, systems, servers, backups, databases, software etc. to know what kind of data is being collected and whether the systems used to allow you to easily identify and delete the individual record.
14.  To be fully compliant with GDPR, it is important to deal with only those processors or sub-processors which are themselves compliant with the GDPR requirement. Make sure that you have an understanding with all your processors and sub-processors to force them to comply with any Data Erasure Request.
15. The request for Data Erasure can be even made orally to any of controller’s employee, and therefore, all the concerned employees should be able to identify such requests and under their role in the process. There should also be a log for all request received orally.
16. Make sure that you don’t only know when you can refuse to comply with the Data Erasure Result, but you are also aware of circumstance under which you can extend the time limit to respond the request as provided under Article 12.3 of the GDPR.
17. Understand that Recital 65 of the GDPR puts specific emphasis on the right to Data Erasure if the request relates to personal data collected from a child.

For any query related to this article or GDPR, please get in touch with the authors at – [email protected]

Endnotes

[1] Available at – https://gdpr.eu/tag/gdpr/

[2] Article 1 of the GDPR

[3] Article 2 of the GDPR

[4] Article 3 of the GDPR

[5] Article 4(2) of the GDPR

[6] Article 4(1) of the GDPR

[7]  Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), 23^rd November 2018. Available at – https://edpb.europa.eu/our-work-tools/public-consultations/2018/guidelines-32018-territorial-scope-gdpr-article-3_en

[8] Article 17 of the GDPR

[9] Recital 65 of the GDPR

[10] Recital 66 of the GDPR

[11] Article 12.3 and Recital 59 of the GDPR

[12] Article 83(2) of the GDPR