What Is The Right To Erasure?

The Right to Erasure can help you protect your privacy in the digital environment. 

Some businesses live and breathe on the exchange of data. They specialize in scraping data from public records and making it publicly available to others.

Because of their services, it has become so easy to discover different data not just about places and things but also about people.

 

Go on people’s search sites, for example. You can easily search for someone and discover different details about this person, including the person’s address, contact details, and social profiles. While this could be convenient, it also means that someone else can potentially find sensitive information that can put your privacy at risk.

 

It may not sit well with you to have your personal data public. The risks involved could compromise your data privacy and overall security in the online environment.

 

If you want a certain business to erase personal data about you, the good news is that you have the right to request erasure. You can request information that involves you to be deleted. You may do so because of the GDPR.

 

Find out what the GDPR is and what your rights are.

The General Data Protection Regulation (GDPR)

The digital space seems to be a whole new world of its own. That being said, some laws are specifically designed to govern this space. One of the most famous and strict laws is the General Data Protection Regulation (GDPR).

 

The GDPR is considered the strongest security and privacy law worldwide. You can trace its roots to the European Union (EU), but its coverage may include businesses anywhere, as long as people in the EU are involved.

 

Are All Businesses Required To Follow The GDPR?

Even if the world acknowledges the authority of the GDPR, the truth is that not every single business needs to adhere to this Regulation. The GDPR has a specific scope and coverage. It was specifically designed for a particular purpose.

 

When Does A Business Have Legal Obligation Based On The GDPR?

Businesses that are part of the EU automatically have to adhere to the GDPR. However, the coverage of the GDPR can go beyond that. Companies from other countries and continents will have to follow the GDPR as long as they meet the following grounds.

 

• They monitor information of people from the EU. If a non-EU company uses tools to track site visitor cookies, personal data, or IP addresses of individuals from the EU, such a company must follow the GDPR.
• They offer goods and services to those from the EU. The GDPR is not strict towards vendors and sellers occasionally selling to the EU market. However, if a business regularly targets the EU market, this business needs to follow the standards of the GDPR. Regulators will look for hints or clues showing that an organization caters to an EU market. Hence, companies should know this.

 

If a business hits the EU market by selling to them or monitoring their data, such companies must comply with the GDPR standards.

 

The GDPR is a comprehensive law in itself that is implemented to protect an individual’s data privacy.

 

Before focusing on the specific right to erasure, let’s look into what a data controller, data processor, and data subject are.

Data Controllers, Processors, and Subjects

What Are Data Controllers?

A data controller is the one who decides why personal data is collected and how to process this personal data. Such controllers may be an individual, official authority, or agency. This data controller may work alone or in tandem with someone else in deciding on these details.

 

What Are Data Processors?

On the other hand, data processors are those in charge of processing personal data as determined by the data controller. Such processors do not control nor own the data collected. They do the processing.

 

What Is A Data Subject?

If data controllers are the decision-makers and processors simply process data, a data subject is the one whose information is collected, taken, and processed. If relevant personal data pertains to a particular person, the person involved is called the data subject.

 

How Do These Roles Operate Hand In Hand?

Both controllers and processors handle the personal data of data subjects. Controllers determine what the data is for and how it will be processed, while processors do the processing. A data subject, though not active in this process, is largely involved because this person’s same data gets controlled and processed.

 

As stated, if you find your data public, a controller and processor are working behind the scenes to control and process the data subject’s data. In this situation, the data subject is you.

 

While this may sound off to many, the GDPR ensures that every data subject is protected. A data subject’s rights to many different things are included in the Regulation.

GDPR: The Rights Of Data Subjects

As a data subject, you must know that you have various rights that you should exercise. These rights include the following:

 

• Article 7: The right to withdraw consent
• Articles 12-14: The right to be informed
• Article 15: The right to access
• Article 16: The right to rectification
• Article 17: The right to be forgotten or the right to erasure
• Article 18: The right to restrict processing
• Article 20: The right to data portability
• Article 21: The right to object
• Article 22: The right to object automated processing

 

The GDPR explains in-depth a data subject’s rights to all these things. Thus, as a data subject, you must know your rights according to the GDPR.

 

What If A Data Subject Objects To Having Data Used By A Business?

Moving on, you may object to having your personal data included in a public business listing or used for business interests. If this is the case, know that it is within your right to object and to issue an erase request to have your personal data erased.

A Data Subject’s Right To Erasure

The right to erasure, or the right to be forgotten, implies a data subject’s right to request personal data erasure. Because it is the explicit right of a data subject, businesses covered by the GDPR have the legal obligation to honor the data subject’s request to have data erased.

 

When Can Data Subjects Exercise This Right?

When a certain individual objects to having their personal data public, they may submit an erasure request. More specifically, this right can be honored if any of the following certain circumstances are met:

 

• When keeping personal data is not necessary anymore, in terms of why it was collected and processed in the first place.
• When consent for processing is withdrawn, and a data controller or processor does not have any lawful basis for proceeding with processing.
• When individual objects to the processing and overriding legitimate interest for continuation are not present.
• When your personal data is used to meet direct marketing purposes.
• When your personal data got unlawfully processed.
• When erasing personal data is necessary to meet a legal obligation.
• When the purpose of collecting your personal data involves offering information society services to children.

 

A data subject can exercise this right to erasure if any of these conditions are met. For a data subject to exercise this right, this subject needs to inform controllers by submitting an erasure request simply. This request may be a valid verbal request or a written valid request.

 

However, it is important to know that this right is not absolute. There is a thin line that governs it.

Should A Business Always Erase Personal Data Upon Request?

That being said, when a business receives a data subject’s request, should this business immediately honor this request every time?

 

If an erasure request is made within the subject’s right to erasure, businesses should honor it. However, companies must also know that data retention policies are at work. Having these policies at work means that there are instances when keeping personal data is still lawful even when a data subject made a request. Here is the lawful basis for data retention.

Data Retention Policies

The GDPR grants a recital to explain in-depth the condition and the lawful basis for data retention. The Regulation mentions in Recital 65 that data retention is permitted in the following certain circumstances.

 

• When it involves adhering to a legal obligation
• When it involves exercising the right to freedom of expression and information
• When it involves executing a task that prioritizes public interest or a controller’s official authority vested upon the person
• When it involves general public interest in terms of public health
• When it involves archiving purposes for public interest
• When it involves scientific or historical research purposes
• When it involves statistical purposes
• When it involves the exercise of defense of an establishment’s legal claims

 

These conditions show that there are indeed exemptions to the right to erasure. If businesses have the rightful supervisory authority and legitimate interests to keep personal data, they may do so. However, if there is no lawful basis for them to keep the personal data, they must take reasonable steps to erase personal data without undue delay.

Frequently Asked Questions

Q: What If A Business Does Not Honor This Right?

The GDPR, as a whole, requires fines or penalties to be made in cases of non-compliance. Depending on how serious the non-compliance is, the fine can reach up to 10 million euros. It may also be as high as 2% of the company’s total global turnover for the previous fiscal year.

 

Non-compliance is taken seriously by the GDPR, so businesses should be wary and take reasonable steps to comply with the standards.

 

Q: Do All Businesses On The Internet Have To Honor A Request To Erase Personal Information?

As mentioned earlier, the GDPR does not cover every business on the internet. If a company caters to an EU market in one way or another, this business should adhere to the GDPR.

 

The GDPR also specifically states the conditions where the right to erasure or the right to be forgotten should be honored. These include when information society services are involved and when keeping personal data is no longer necessary.

 

Aside from that, there are also cases where keeping data is legal even if requests are made. These purposes include scientific or historical research, public health, statistical purposes, archiving purposes, intents in line with the public interest, and other purposes stated above.

 

However, if businesses covered by the GDPR use personal data for other reasons such as direct marketing purposes, they must delete personal data upon request.

 

Q: What About Health Data?

The GDPR states that all data related to health can only be made public when the data subject gives consent. Health professionals and other involved parties must carefully handle preventative or occupational medicine or medical diagnosis data. Even a health professional has to be careful when it comes to publicizing this data.

Similar Privacy Laws in the United States

While the GDPR is a set of laws established by the European Union, there are similar data privacy laws in the United States. Unfortunately, the laws are a patchwork of local, state, and federal regulations; there is no single federal law that governs data privacy.

 

These laws include:

• Children’s Online Privacy Protection Act (COPPA)
• Health Insurance Portability and Accounting Act (HIPAA)
• Fair Credit Reporting Act (FCRA)
• Gramm Leach Bliley Act (GLBA)
• California Consumer Privacy Act (CCPA)
• New York SHIELD Act

 

Contact RemovePersonalInformation Today

To learn more about how you can protect your internet privacy and remove personal information from the web, contact RemovePersonalInformation today by dialing 844-445-6096 .