A lock and key, sat on a keyboard

It’s not easy to be forgotten

Data. Do you think that if data is about you, then you own it? Think again because it might not be the case. This isn’t fearmongering. It’s not a statement designed to intimidate or scare, but in an age where we share our personal information almost daily and our digital presence is sometimes bigger than our physical selves, the position is not always clear. And there are a few misconceptions that deserve clarifying.
 
‘The right to erasure (also known as ‘the right to be forgotten’), is an expression that has become somewhat familiar since the GDPR came into effect last year. In short, it means that you have the right to have your personal data deleted. Last year, the concept hit the press quite spectacularly when an English court ruled against Google in the case of an individual seeking to have certain personal information about him removed from Google search results.
 
Cutting through the legalese
 
When experts talk about the rights and responsibilities around personal data, they sometime fail to fully explain the terms they use. ‘Data subject’, is a good example. It simply means ‘an individual’ or a natural person who can be identified or identifiable – you, me, our family, etc. You may also hear about a ‘Data Controller’ – this is the organisation who decides how to use your data.
 
Another frequently overlooked term is ‘Personal Data’, which sounds obvious, but it’s important to be aware of the breadth of what this can cover. Names, email addresses and bank details are obvious examples of personal data. However, loyalty cards, payroll, medical records, your fingerprint, health conditions, GPS location, IP addresses, cookies and radio frequency tags: can all be personal data when used to identify you. If you’re unhappy with who is storing this information and wish to have your personal details removed from their records, the GDPR sets out a clear way to approach this. But before you start drafting an email, it’s really important to understand whether you actually want to be erased in the first place.

Piles of stacked paperwork and folders
There are many scenarios in which organisations will refuse to remove your data from their systems.

You don’t own it, but it’s yours to control
 
When it comes to the way your information is processed, shared and stored, you have a whole suite of rights to protect you.
 
The right to access your personal data
 
If you want to know how and why a company is using your personal data, you can request to see what data an organisation holds about you and they must comply with that request. This is called a ‘subject access request’ and you can make your request in more or less any way – fax, email, letter, or even a phone call. From this point, a copy of your personal data must be provided within 30 days.
 
The right to have inaccurate personal data rectified, updated or completed
 
If your information is wrong, out of date or incomplete, the organisation holding it must make the appropriate changes. Again, to do this you must submit a request by fax, email, letter, or even a phone call, as you would for a subject access request.

The right to be forgotten is not an absolute right.

Some laws are bigger than others
 
The right to be forgotten is not an absolute right. There are quite a few scenarios in which organisations will refuse to remove your data from their systems because they have a very good reason that makes it impossible for them to do so. These scenarios are: 
 
  • To exercise the right of freedom of expression and information (for example, in reporting the news)
  • To comply with a legal obligation (e.g. employment or tax laws)
  • For the performance of a task carried out in the public interest or in the exercise of official authority (e.g. for the purposes of public safety or in police investigations)
  • For archiving purposes in the public interest, scientific research, historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing
  • For the establishment, exercise or defence of legal claims.
  • If the processing of the data is necessary for public health purposes in the public interest (e.g. protecting against potential epidemics)
  • If the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services), where the data is being processed by or under the responsibility of a health professional.
  • If the request for erasure is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Do you really want to disappear?
 
There are plenty of well-documented circumstances where the answer is yes. Victims of crime, for example, might legitimately and understandably want to have newspaper reports/records removed from search engines. Outside of the media, you might have received terrible customer service from a business and want to cut all ties with them but do consider what this means for any purchase you may have made in the past. It might be better to just unsubscribe.
 
Good data housekeeping, benefits everyone
 
Finally, we must look from the perspective of the Data Controller. The stakes are high – fines for non-compliance with the GDPR are already being issued and the amounts are in millions. Organisations need to know exactly where your data resides in order to comply with legitimate requests for erasure. Can you imagine what a gargantuan task it must be to make sure that the information on customers, employees, suppliers, partners and more are all being looked after in the most secure and appropriate way? Whilst also being easily accessible and compliant for all manner of other legislation? This applies to the millions of contracts, documents or invoices that pass through EU businesses every day. So, while the vast majority of businesses have spent several years and huge investment bringing their systems into line, it’s everyone’s responsibility to understand why.

Written by Andreea Sovu


Related Articles