Right To Be Forgotten

The European General Data Protection Regulation (GDPR) has strengthened the rights of those affected. These include the right to erasure of personal data, also known as the “right to be forgotten”. But what does that mean exactly and how can it be applied in practice?

The right to be forgotten service means that data subjects can request that the data controller delete their personal data. Article 17 of the GDPR gives reasons for this that data subjects can invoke. The most important include:  

• Elimination of storage purpose: A central principle of the GDPR states that any storage and processing of personal data must be linked to a purpose. This also applies: As soon as the purpose no longer exists, the data may no longer be stored. 

• Withdrawal of consent: Consent from the data subject is considered a possible basis for the processing of personal data. If this is withdrawn, all data for which consent was originally given must be deleted and there is no other legal basis. The revocation does not affect the legality of the processing that has already taken place.

• Unlawful processing: If the data processing was unlawful from the start, the person concerned can demand the immediate deletion of the personal data.  

The GDPR lists other reasons that allow data to be erased. This includes, for example, the case when a company has processed data without the active consent of the person concerned on the basis of a “legitimate interest”. This is not illegal per se – the GDPR recognizes the concept of “legitimate interest”. However, if the data subject objects here, the data must be deleted unless there is another legal basis.  

When a deletion request makes sense 

We have seen that a deletion request can have different reasons. An important right under the GDPR is the right to information, with which every person can find out what data a company or authority has stored about them. If such information reveals that data has been stored unlawfully, it makes sense to submit a deletion request.  

The most common case in practice is probably the termination of a specific program or service. If such a termination does not automatically confirm that stored data will be deleted, it is advisable to make active use of the right to deletion.  

It is best to submit a deletion request in writing

In principle, a request for deletion does not require a specific form. For reasons of documentation and to be able to prove it later, the written form for a deletion request is very well suited – either classically by post or by e-mail. Nobody has to provide a detailed justification, a one-liner is enough for a deletion request. Some data may be helpful for the application.  

• Name, address, date of birth or e-mail address: The company must ensure that the request actually came from the data subject and not from a third party. Therefore, the person concerned should send along the data that the company already has and that can help with identification.

• No new data: However, if the company does not know certain data at all – such as date of birth or e-mail address – it is not helpful to attach it to the deletion request. After all, the company should not have more data afterwards than before.  

If you want to be on the safe side, you can also specifically name the personal data to be deleted in your letter – but that doesn’t have to be the case. It is also possible to request the deletion of certain or all personal data. An example of the second case could be an incorrect address, while other data may continue to be stored.  

Further steps after the deletion request

But what happens if the company simply ignores the request? In that case, it automatically puts itself at fault, because you have a legal right to be forgotten help to respond within one month. 

Depending on how important the matter is to the applicant, he or she can now remind the applicant a couple of times. If this is also unsuccessful, the only option is to lodge a complaint with the competent supervisory authority. There is a complex system of data protection authorities in Germany, but every citizen can contact their local state authority with confidence.

In practice, data from social networks may have spread elsewhere on the Internet even if the request for deletion was successful. Do those affected have to ask each individual site operator to delete the same data afterwards? No, because the originally responsible person who published the data must work towards the deletion across the entire data processing chain.  

Self-test: It really is that easy to delete data

Paper is known to be patient. So does the still young right to be forgotten from the GDPR actually apply? At DataGuard, we tried it. From online services to bonus point programs to internet shops: We terminated around a dozen real customer accounts that were no longer needed by email or contact form with a simple one-liner. The results are encouraging:

• All erasure requests were actually answered within the allotted one-month period – there were no requests for verification of identity.

• None of the companies asked refused to delete them (which, however, would have had no legal basis even after termination of the contractual relationship). 

• Small fly in the ointment: Not all companies have given a concrete time frame for the deletion. One company that can be positively highlighted in terms of transparency has described its deletion routine and explained why the deletion can only take place in six weeks for technical reasons.  

On the whole, fortunately, all the organizations contacted behaved in compliance with the GDPR. Of course, the deletion cannot be physically controlled in this way. Anyone who has doubts as to whether the deletion really took place could, for example, submit a request for information under the GDPR to the company again a year later and ask whether personal data about you is being processed. If the company then states that they still have data stored, something is obviously wrong Right to be Forgotten Meaning.