Right to Erasure Guidelines
At a glance
The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
Individuals can make a request for erasure verbally or in writing.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.
Preparing for requests for erasure
We know how to recognise a request for erasure and we understand when the right applies.
We have a policy for how to record requests we receive verbally.
We understand when we can refuse a request and are aware of the information we need to provide to individuals when we do so.
Complying with requests for erasure
We have processes in place to ensure that we respond to a request for erasure without undue delay and within one month of receipt.
We are aware of the circumstances when we can extend the time limit to respond to a request.
We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children.
We have procedures in place to inform any recipients if we erase any data we have shared with them.
We have appropriate methods in place to erase information.
What is the right to erasure?
Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
When does the right to erasure apply?
Individuals have the right to have their personal data erased if:
the personal data is no longer necessary for the purpose which you originally collected or processed it for;
you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
to exercise the right of freedom of expression and information;
to comply with a legal obligation;
for the performance of a task carried out in the public interest or in the exercise of official authority;
for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).
For more information about special categories of data please see our Guide to the GDPR.
Can we refuse to comply with a request for other reasons?
We can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If we consider that a request is manifestly unfounded or excessive we can:
request a "reasonable fee" to deal with the request; or
refuse to deal with the request.
We will base the reasonable fee on the administrative costs of complying with the request. If we decide to charge a fee we will contact the individual promptly and inform them.
What we will do if we refuse to comply with a request for erasure?
We must inform the individual without undue delay and within one month of receipt of the request.
We will inform the individual about:
the reasons you are not taking action;
their right to make a complaint to the ICO or another supervisory authority; and
their ability to seek to enforce this right through a judicial remedy.
How we will recognise a request?
The GDPR does not specify how to make a valid request. Therefore, an individual can make a request for erasure verbally or in writing.
Can we extend the time for a response?
We can extend the time to respond by a further two months if the request is complex or we have received a number of requests from the individual. We will let the individual know without undue delay and within one month of receiving their request and explain why the extension is necessary.
Can we ask an individual for ID?
If we have doubts about the identity of the person making the request we will ask for more information.