Skip to main content

Right to Be Forgotten 

What Is the Right to Be Forgotten?

The “right to be forgotten,” also known as the “right to erasure,” refers to the idea that individuals have the right to remove their personal information from internet searches and databases under certain circumstances. 

This concept is primarily associated with privacy and data protection laws in various jurisdictions, most notably with the European Union’s General Data Protection Regulation (GDPR). 

In the United States, the concepts of the “right to be forgotten” or the “right to erasure” are not recognized at the federal level in the same comprehensive manner as they are under the GDPR. However, there are limited implementations in specific states and under certain regulations. 

Third-party definition 

An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data. – Progress

Evolution of the Right to Be Forgotten and the GDPR

Before the GDPR, the right to be forgotten was popularized by the European Court of Justice’s 2014 ruling, which held that individuals could request search engines like Google to remove links with personal information that was “inadequate, irrelevant or no longer relevant.”

The GDPR took this concept further by codifying it into law, providing a list of conditions under which the right could be exercised and clearly delineating the obligations of data controllers.

Unlike the pre-GDPR understanding, which was largely limited to search engines, the GDPR also applies the right to erasure to all data controllers across all sectors. 

Data controllers must erase data promptly where one of the conditions applies. However, there are some exceptions, such as when they need to keep this data to comply with legal obligations.

When Can You Exercise Your Right to Be Forgotten? 

Under the GDPR, individuals have the right to request the deletion of their personal data from data controllers without unnecessary delay. 

Data controllers are obligated to comply with these requests if any of the following conditions are met:

  • No longer necessary. The data is not needed anymore for the purposes it was collected or processed for.
  • Withdrawal of consent. The person has taken back their consent (which was the reason for processing the data), and there’s no other legal reason to keep processing it.
  • Objection to processing. The person does not agree to their data being processed, and there aren’t any significant legitimate reasons to continue, or they specifically object to processing for direct marketing.
  • Unlawful processing. The data was processed in violation of the law.
  • Legal obligation. The data must be deleted to fulfill a legal requirement applicable to the data controller in the EU or its member states.
  • Data of minors. The data was collected from a child under 16 years old for online services.

Exceptions to Your Right to Be Forgotten 

The obligations to delete personal data, as described in paragraphs 1 and 2, do not apply when the data processing is necessary for the following purposes:

  • Freedom of expression and information. If the processing is essential for exercising rights related to freedom of expression and information.
  • Legal obligations and public interest. If it’s required to comply with legal obligations, perform tasks for the public interest, or exercise official authority.
  • Public health. If the processing is necessary for important public health reasons.
  • Research and archiving. If the data is needed for archiving in the public interest, scientific, historical research, or statistical purposes, and deleting the data would seriously hinder these efforts.
  • Legal claims. If the processing is needed for the establishment, exercise, or defense of legal claims.

These exceptions ensure that data processing can continue when it serves critical societal functions or legal requirements.

How to Exercise Your Right to Be Forgotten 

Follow the steps below to exercise your right to erasure under the GDPR: 

1. Identify the data you want erased 

    Clearly identify the personal data you want erased. This could be anything from names and addresses in customer databases to posts and comments on social media platforms.

    2. Locate the data controllers

      Determine which companies (data controllers) are holding or processing this personal data. This could include both the primary company with which they interacted and any other organizations that may have received this data from them.

      3. Draft a formal request

      Prepare a formal request for erasure. This should be a written document (often an email suffices) stating clearly that you are requesting the erasure of your personal data under Article 17 of the GDPR. 

      The request should specify exactly what data you want erased and, if possible, include any relevant identifiers (like customer or account numbers).

      4. Send the request

      Send the request to the appropriate contact point. Most companies are required to provide a data protection officer (DPO) contact or a dedicated privacy contact email address.

      5. Record the correspondence

        Keep records of all correspondence regarding the erasure request. This includes saving copies of the request and any responses received. 

        This documentation can be useful if the request is not honored and further action is needed.

        6. Follow up

        If the company does not respond or refuses to comply with the request, the individual can follow up to ask for the reasons for refusal and remind them of their obligations under the GDPR. Companies typically must respond to such requests without undue delay or at least within one month.

        7. Contact data protection authorities

        If the company fails to comply with the erasure request, the individual can file a complaint with their EU member state’s national data protection authority. 

        This authority can investigate the complaint and enforce action if necessary.