Should personal data be deleted?

When Should Personal Data Be Deleted?

Should personal data be deleted from the web? How can you erase personal data once and for all? Our guide provides insights into protecting your digital privacy.

It is very easy to access the personal data of someone online these days. While this could come in handy at some point, it also means that others can easily access your information as well.


This reality may not sit well with you, but the good thing is that data brokers, for example, and other sites give you the option to submit a removal request to have different data categories of yours deleted.


However, on the side of the information broker or similar service provider, the question is when personal data should be erased. Should a data broker process every erasure request?


To understand this better, it’s important to understand what personal data really is, what the law has to say about data privacy, and when service providers should delete personal data.

What Counts As Personal Data?

It is easy to informally conclude what personal data is and isn’t. To standardize things, however, there is actually a legal and lawful basis that you can look into and refer to.


The GDPR (General Data Protection Regulation) states that personal data refers to any type of information that is related to an identified natural person or data subject.


Simply stated, personal data is any kind of information that is related to a person’s identification. It may include a name, location information, ID number, a specific online identifier, or any factors that pertain to that person’s social, cultural, economic, mental, genetic, physiological, or physical condition.


Personal data is sometimes referred to as “personally-identifying information” or PII. Such data can be commonly found on the web, even if specific laws forbid it.


That being said, several data types actually count as personal data. As long as this information helps in describing and identifying a person (data subject), it is considered personal data.

Data Protection

Even if the US does not have a single data protection law that Americans can refer to, several other related laws could still serve as a legal basis, especially regarding online data privacy.

The General Data Protection Regulation (GDPR)

The GDPR, for one, has international coverage of those who offer services and businesses online to an EU market. While the GDPR automatically applies to those who are part of the European Union, its scope may also cover non-European entities when any of the following criteria are met.


  • The offering of goods and services to an EU market. While the GDPR isn’t that strict when it comes to occasional buying and selling, regulators actively look out for any hints about whether an organization offers goods and services to those within the EU. Simply stated, if a business is not located in the EU but caters to EU audiences, the business must comply with GDPR standards.
  • The monitoring of online behavior involving those from the EU. If a specific business utilizes certain tools that enable them to track IP addresses or cookies of site visitors from the EU, these businesses have to comply with the GDPR.


Those who do serious business online are well familiar with the GDPR. It is actually considered the world’s toughest privacy and security law. Considering this, it is worth it to know what the GDPR has to say about data protection.

How Data Processing Works

Before digging into the rights mentioned in the GDPR, let’s look into how processing works, what a data controller is, what data processing is, and how processors and controllers work in tandem.


Data Controllers

The GDPR defines a controller as a legal person, agency with a supervisory authority, public offices, or other entity that, whether alone or with others, decides the purpose and the method of processing an individual’s data.


As its name suggests, a data controller basically controls what personal data is used for and how it is processed.


Processing Of Data

While the GDPR does not concretely define what this processing is, you can infer it from its definition of a processor. The law defines a processor as the person, public agency, rightful authority, or other entity that does the processing instead of the controller. These processors do not own or control the data; they simply process it.


How Do Controllers And Processors Work Together?

While data controllers determine the purpose and means of processing information, processors are the ones who process the data in the way that was determined by the controller.


Knowing this is necessary to understand what the GDPR says about data protection and what a data subject can rightfully do.


Rights Of A Data Subject According To The GDPR

The GDPR has an in-depth compilation of various rights and articles about data regulations. Among these are some that should be stressed when it comes to personal data protection. For one, it is important to know the rights of the center of personal data: the data subject.


These rights comprise the following.


The Right To Withdraw Consent (Article 7)

Such a subject may take back the consent that was previously granted.


The Right To Be Informed (Articles 12-14)

Such a subject has the right to know and be informed about the use and collection of their personal data.


The Right To Access (Article 15)

Such a subject may view or ask for a copy of their own personal data.


The Right To Rectification (Article 16)

Such a subject can request their unupdated or inaccurate details to be corrected or updated.


The Right To Be Forgotten (Article 17)

Such a subject may request others to erase personal data of theirs. There are certain exemptions for this right.


The Right To Portability (Article 20)

Such a subject may ask to transfer their data to a different controller or let their data be provided. The data must be delivered in a format that is electronic and readable by a machine.


The Right To Restrict Processing (Article 18)

Such a subject may appeal for personal data to be restricted or suppressed.


The Right To Object (Article 21)

Such a subject may object to their personal data’s processing.


The Right To Object Automated Processing (Article 22)

Such a subject may object to decisions involving their personal data that were made based on automated profiling or decision-making.


Data subjects have quite extensive rights, according to the GDPR. However, in relation to the matter of when personal data should be deleted, it is important to focus on this specific right: the right to be forgotten.

An Individual’s Personal Data Protection: The Right To Be Forgotten

The right to be forgotten can be found in the GDPR Article 17. This right to be forgotten mentions that a data subject must have the right to ensure from a data controller the erasure of this person’s personal data without undue delay. The data controller is also obligated to proceed with the erasure without delay. This applies when one among other conditions is met.


This simply means that it is within a data subject’s rights to have their own data deleted. This data deletion must be done without undue delay, which is roughly a period of one month. When such a request is made, a controller has the legal obligation to delete personal data immediately or without undue delay.


This specific right for deleting personal data works hand in hand with a data subject’s right to access. One’s right to control personal data does not mean anything if this person cannot do something in these situations:


  • When they disapprove of the processing activities at some point
  • When major errors are present in the information
  • If they think that their information is being unnecessarily held


In such cases, data subjects can rightfully request to erase personal data.


However, you should know that this right isn’t absolute. This means that the GDPR has only set a thin line when it comes to data deletion.

Data Retention Policies

Even if the said line about data deletion is quite thin, the GDPR provides a recital to explain the right data retention periods and conditions. In Recital 65, specifically, the GDPR mentions the following:


  • A data subject’s right to rectification
  • A data subject’s right to be forgotten when data retention violates the GDPR or any Union/Member State Law that a controller is subject to


Other than that, the GDPR also mentions a data subject’s supposed right to have personal data erased or processing ceased in the following cases:


  • When it is no longer necessary to store personal data in light of the original reason why it was collected in the first place
  • When the subject has withdrawn consent to their processing
  • When personal data retention and collection do not comply with the GDPR


What Are The Legal And Regulatory Requirements For Keeping Data?

According to the same recital, retention of personal data can be necessarily lawful in the following specific circumstances:


  • When it comes to exercising one’s right to freedom of expression and information
  • When it comes to meeting a legal obligation
  • When it comes to performing a task that is executed with the public interest in mind or with a controller’s official or supervisory authority
  • When it is done on the basis of public interest when it comes to public health
  • When it comes to archiving records for public interest
  • When it comes to scientific or historical research endeavors
  • When it comes to statistical purposes
  • When it comes to the defense or exercise of legal claims for establishments


That being said, from a legal perspective, there are indeed exemptions to approving a data erasure request. In such conditions, a data retention period is allowed.

Data Privacy In The Healthcare Setting

Even if professional secrecy is important in other settings, the GDPR acknowledges that health data is a special type of personal data.


As per the Regulation’s Recital 35, health data comprises any kind of data related to a subject’s health status. This data must relate to the subject’s future, current, or past mental or physical status.


This data may include the following:


  • Information collected during the registration for healthcare services.
  • Identification numbers or symbols granted to a data subject solely for health purposes such as in preventative or occupational medicine.
  • Test/exam results, biological samples, and genetic data taken from a data subject.
  • Any information that relates to a data subject’s disability, disease, medical history, disease risk, clinical treatment, biomedical state, or physiological condition independent of the original source (ex. hospital or health professional).


For health data specifically, the GDPR states that processing is not allowed unless certain circumstances and conditions for exemption are met.


In all other situations, sharing health data with third-party entities strictly requires consent from the patient. It is considered illegal if the information was shared without permission.

What About Backup Systems And Deletion Logs?

These conditions mostly pertain to information and different systems that are available at the forefront, but what about backup systems?


While the GDPR does not explicitly mention guidelines pertaining to backup systems, it is important to make sure that a company’s backup systems still honor the rights of data subjects. Hence, information included in a backup system can also be deleted upon request.


The same is true for deletion logs as well. When requests are made within the subject’s rights, and when conditions for a retention period are not met, these may be deleted as well.

When Should Service Providers Delete Personal Data?

Considering the articles, recitals, and conditions from the GDPR mentioned above, the following can be inferred.


Service Providers

  • When an online business or service providers cater to an EU audience by continuously and directly offering them goods and services or monitoring their behavior, they are legally bounded by the GDPR.
  • Service providers and other organizations under the GDPR are legally obligated to delete data if the personal data they store is used for overriding legitimate interests, such as direct marketing purposes.
  • Service providers can keep personal data stored if they meet the GDPR’s conditions for data retention mentioned above.
  • Service providers, including search engines like Google, have to honor the rights of data subjects at all times.
  • Certain people or organizations are legally allowed to control and process personal data in such a way that honors the data subject’s rights.


Data Subjects

  • Data subjects have legal rights when it comes to what others can do with their own personal data. It is within these very rights for them to ask others to delete personal data, submit an erasure request, restrict or object to processing activities, revoke the consent that was granted early on, and other things. Thus, if an individual objects to how their data is publicly available for reasons that are not covered in the retention conditions, this person can exercise these rights.


Health Data

  • Unless conditions for exemption are met, publicly posting healthcare data without consent is considered illegal.


Backup Systems

  • When it comes to stored data behind the scenes, service providers should still honor the rights of data subjects.


All of these are just guides for knowing the legal basis of data protection and retention. However, if necessary, you may also opt for a professional legal consultation to know what a legal professional has to say about your case.

What Happens To Non-Compliant Entities?

Even if there are strict guidelines that the GDPR offers, there are those that take organizational measures that do not comply with the Regulation.


When these organizations are non-compliant or if they suffer from data breaches, they would be required to pay a fine. While this is usually a reasonable fee, it can reach up to around 4% of the annual turnover of a business or even 17 million euros. This depends on how serious the non-compliance is.

Personal Data: Keep It Or Let It Go

The GDPR shows that there are specific conditions where it is necessary to have personal data deleted. At the same time, it also relays the certain conditions where keeping data is allowed even when removal requests are made.


To end, there are some things that you should remember:


  • If you are part of a business that operates on data, it is important for you to know the legal basis behind deciding when the erasure of personal data is necessary or not.
  • If your personal data can be found online, you should know that you have rights that you can exercise. You can fight for certain data deletion and exercise your rights to revoke consent.


Whether you are the one who processes and/or controls data or whether you are someone whose personal data is used, it is important to know the rights you can exercise and the reasonable steps of doing things legally.


To learn more about how you can protect your internet privacy and remove personal information from the web, contact RemovePersonalInformation today by dialing 844-445-6096 .

Catch up on more news from RPI!

A man holding a credit card and a phone.

Biometric Identification in Banking: The Future of Secure Transactions

January 30, 2024

In an age where digital security is of utmost importance, biometric identification has emerged as a pioneering technology in the…

Read More
A woman holding a smartphone with a heart rate monitor on it.

Securing Your Health Data: Privacy Measures in Telemedicine

January 25, 2024

Telemedicine has become an increasingly popular option for accessing healthcare services, allowing patients to consult with healthcare providers remotely. What…

Read More
A laptop with a speech bubble and a password on it.

Crafting Unhackable Passwords: A Step-by-Step Guide

January 22, 2024

In a world where cyber threats are becoming increasingly sophisticated, the importance of having strong passwords cannot be overstated. But…

Read More