 |
RIGHT TO ERASURE (RIGHT TO BE FORGOTTEN) IN A
NUTSHELL
Definition
The right of the data subject to obtain from the controller, under certain conditions, the
erasure of his or her personal data.
Introduction
The art. 17 of GDPR introduces in the data protection regulatory framework the right to
erasure (also known as right to be forgotten). According to the art. 17, the data subject has
the right to obtain from the controller the erasure of his or her personal data, as long as one
of the following conditions is met:
a) the personal data are no longer necessary in relation to the purposes for which they
were collected or otherwise processed;
b) the data subject withdraw the consent to process his or her data which was given
for specified purposes;
c) there are no compelling legitimate grounds for the processing or the personal data
are processed for direct marketing purposes;
d) the personal data have been unlawfully processed;
e) the personal data have to be erased for compliance with a legal obligation in Union
or Member State law to which the controller is subject;
f) the personal data have been collected in relation to the offer of information society
services to a child.
Compelling legitimate grounds, direct marketing and burden of proof
According to art. 21(1) the burden of proof to demonstrate the existence of compelling
legitimate grounds lies on the controller which has to demonstrates that the legitimate
ground overrides the interests or the fundamental rights and freedoms of the data subject.
Differently, when the processing happens for direct marketing purposes , the data subject
has the right to object at any time the processing of his or her personal data.
Lawfulness of processing
The parameter to gauge the lawfulness of the processing is the art. 6(1) which identifies all
the cases in which the processing is considered lawful, like for example when “is necessary
for the performance of a contract to which the data subject is party or in order to take steps
at the request of the data subject prior to entering into a contract”.
Children specific protection
One of the goal of the GDPR is to recognize a strengthened protection to children especially
in the online environment.
The expression ‘Information society services’ refers to online services. That means that the
child will always be entitled to request the erasure of his or her personal data from online
services, such as social networks and internet forums, due to the assumption that he or she
is not fully aware of the risks involved by the processing. The right to erasure can be
exercised by the data subject even if he or she is no longer a minor. In other words, the age
of the data subject at the time of the consent determines if the specific protection is
granted.
The obligation of the controller to notify other controllers
The art. 17(2) provides that whenever the controller has made public the personal data
subjected to the right to erasure, the controller has to inform other controllers which are
processing the personal data that the data subject has requested to erase any links to, or
copies or replications of those personal data.
The purpose of this provision is to reinforce the efficacy of the right to erasure particularly in
the online environment which is characterized by the ease of replicating contents.
For example, if an article published by an online newspaper is removed because the data
subject exercised the right to erasure, the publisher of the article has to notifies the owner
of a blog who republished the article in a post.
Cases in which the right to erasure can be rejected
The right to erasure is not absolute and has to be balanced with other fundamental rights
and public interests.
According to art. 17(3) the right shall not apply when the processing is necessary:
a) For exercising the right of freedom of expression or information;
b) for compliance with a legal obligation which requires processing by Union or
Member State law or for the performance of a task carried out in the public interest
or in the exercise of official authority vested in the controller;
c) for public health purposes which are in the public interests;
d) for archiving purposes in the public interest , scientific or historical research
purposes or statistical purposes;
e) for the establishment, exercise or defence of legal claims.
Commenti
Posta un commento