Right to Deletion
What Is the Right to Deletion?
The “right to deletion,” often referred to as the “right to be forgotten” or the “right to erasure,” is a privacy right that lets individuals request the deletion of their personal data from an organization’s records under certain circumstances.
This right is a fundamental aspect of data protection laws in various jurisdictions, including the European Union’s General Data Protection Regulation (GDPR).
It aims to strengthen individuals’ control over their personal data and ensure that it is not held indefinitely without a valid reason. It also addresses the risks that could arise from the continuing storage of data, such as potential misuse or breach.
However, the right to deletion is not absolute and can be subject to certain exceptions under all laws. For example, if the data is necessary for compliance with a legal obligation or scientific or historical research purposes, the data controller may deny the deletion request.
Third-party definition
An individual’s right to have their personal data deleted by a business or other organization possessing or controlling that data. – Progress
Right to Deletion Under the GDPR In Europe
Under the European Union’s GDPR, the right to deletion allows individuals to have their personal data erased by the data controller when:
- The data is no longer necessary for the original purpose it was collected for.
- The individual withdraws consent (if the processing was based on consent), and there is no other legal ground for processing.
- The individual objects to the processing, and there are no legitimate reasons to continue with it.
- The data has been unlawfully processed.
- The data must be erased for legal reasons.
- The data was gathered from a minor under the age of 16 for online services.
How to exercise your right to deletion under the GDPR
Follow these steps to exercise your right to deletion under the GDPR:
1. Identify the relevant personal data
Pinpoint the specific personal data you wish to have erased. This may include details like names and addresses stored in customer databases or content such as posts and comments on social media platforms.
2. Determine the data controllers
Identify the organizations (data controllers) that hold or process your personal data. This usually involves the primary organization you have interacted with and any secondary organizations that might have received your data.
3. Compose a formal request
Create a detailed written request for erasure.
This request should be clear and state that you want your personal data erased in accordance with Article 17 of the GDPR.
Be sure to detail the specific data you seek to erase and include any identifiers that may help identify your data, such as customer or account numbers.
4. Submit your request
Send your erasure request to the correct contact point provided by the organization. Most organizations are mandated to have a contact for their Data Protection Officer (DPO) or a specific email address for privacy concerns.
5. Document all interactions
Maintain records of all interactions related to your deletion request, including the original request and any responses you receive. This documentation can be crucial if your request is not complied with and further actions are necessary.
6. Follow up
If there is no response or if the request is denied, follow up with the organization to inquire about the reason for refusal and remind them of their duties under the GDPR.
Companies are generally required to address such requests promptly, typically within one month.
7. Engage data protection authorities
If the organization fails to fulfill your erasure request, consider filing a complaint with the data protection authority in your EU member state. This authority usually has the power to investigate and potentially enforce compliance.
Right to Deletion In the US
In the US, the right to deletion is primarily governed at the state level rather than federally.
The most comprehensive and explicit rights to deletion are found within state privacy laws, notably in California, Virginia, Colorado, and other states that have enacted privacy regulations inspired by the European Union’s GDPR.
However, there are exceptions where businesses can refuse to delete data, such as when the information is necessary to complete a transaction, comply with legal obligations or is used in ways that are compatible with the context in which the personal information was collected.
Certain federal laws address the deletion or secure disposal of data in specific industries. For example, COPPA, which protects children’s online privacy, allows parents to request the deletion of their children’s personal information from online services.
How to exercise your right to deletion in the US
Exercising your right to deletion under US state laws involves several steps, which depend on where you live.
Here is a general guide on how to go about exercising your right to deletion in the US:
1. Determine eligibility
For example, the California Consumer Privacy Act (CCPA) applies to residents of California and businesses that meet certain criteria regarding annual revenues or the volume of data they process.
2. Identify the data holder
Identify the company or organization holding your personal data. This entity is responsible for processing your deletion request.
3. Review the policy
Review the privacy policy of the organization to understand its process for handling data deletion requests.
The policy should outline how to submit a request and what information you need to provide.
4. Prepare your request
Prepare a formal request.
This might include:
- Your full name and contact information.
- A clear statement that you are requesting the deletion of your personal data.
- Any specific details about the data you want deleted, if applicable.
- Identification or verification details as required by the company to ensure that they are dealing with the data subject or their authorized representative.
5. Submit your request
Submit your request through the designated channel. Many companies provide an online form or a specific email address for such requests. Others might require a written request through postal mail.
6. Follow up
After submitting your request, the company should acknowledge receipt of your request.
State laws typically require the company to respond within a specific time frame (e.g., 45 days under CCPA, extendable under certain conditions).
Keep a record of your communications in case you need to follow up or appeal the decision.
7. Understand exceptions
Be aware of exceptions where companies might deny your deletion request.
Common exceptions include the necessity of data for completing transactions, compliance with legal obligations, resolving disputes, enforcing agreements, or for certain internal uses deemed compatible with the context in which the personal data was collected.
8. Seek assistance
If your request is denied or ignored, you may seek assistance from the relevant state authority overseeing data protection laws.
For instance, California residents can contact the California Attorney General’s Office.