Article 17 GDPR grants the right to the data subject to have its personal data erased without undue delay.This right reflects the data minimisation principle(see the “Data minimisation” subsection in the Principles section of the General Part of these Guidelines) and the accuracy principle(see the “Accuracy” subsection in the Principles section of the General Part of these Guidelines), according to which personal data must be limited to what is necessary for the purposes for which those data are processed, as well as must be accurate and updated (Article 5.1(c) and (d)).
Pursuant to Article 17.1 GDPR, the right to erasure applies in the following scenarios:
- The personal data are no longer necessary regarding the purposes for which they were processed;
- The data subject withdraws the consent on which the processing is based and there is no other applicable legal ground;
- The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- The personal data have been unlawfully processed;
- The personal data have to be erased, in order to comply with a legal obligation laid down in the EU or Member State’s law to which the controller is bound;
- The personal data have been collected concerning the offer of information society services to children according to Article 8.1 GDPR.
From a practical perspective, the right to erasure involves making data unusable in any way, that prevents the controller and any other party from (re-)accessing and (re-)processing the data. Be it either by destructing the physical support (e.g. paper documents) or by deleting the data from IT systems. The erasure process is successful, insofar as it is no longer possible to restore the data without excessive effort.Voigt and von dem Bussche, for instance, consider the theoretical possibility of restoring the data through a specialized software as reasonable.
On the one hand, there are international standards specifically created to state how information on paper has to be destroyed. In particular, the paper has to be destroyed by an appropriate shredder. One example of a standard on this matter is the DIN 66399 Standard, which offers guidance on the adequacy of shredders and their configuration.Destruction of information can be performed either internally by the controller or by an external company.If outsourced, the external company must be considered a data processor since Article 4.2 GDPR considers also “erasure or destruction” to be a processing operation. According to Article 28.3 GDPR, the controller must write a contract that imposes all necessary obligations on the processor to implement appropriate safeguards (see Article 28 GDPR for detail).
On the other hand, it is the case that erasure from live systems may not occur immediately. Moving data to the computer bin is not sufficient. For instance, the data could be stored in a different location, and in back-up repositories as well. In such cases act upon the data subject’s request could be more complicated and longerdue to technical mechanisms in force. Accordingly, the controller shall put the back-up data beyond use (namely, so that no one can process the data in the back-up repository for any purpose), until the repository is updated upon schedule and the data can finally be erased permanently. A recent example of standards applicable to this process can be found in the ISO 27701.
Moreover, when personal data are public and must be erased, the controller must take reasonable steps to inform other controllers who process the same data about the subject’s request to erase them. Such reasonableness derives from the available technologies and the cost of implementation, as explained in Recital 66 GDPR.Similarly, Article 19 GDPR requires the controller to communicate the erasure to each recipient to whom the data have been disclosed, unless this proves impossible or involves disproportionate effort(see the “Accuracy” subsection in the Principles section of the General Part of these Guidelines).
A much debated question concerns the burden of proof.On the one hand, according to Voigt and von demBussche (2017), the data subjectshave to demonstrate the existence of his right to erasure; the controller willnonetheless be obliged to prove favourable circumstances for it, such as a producing counterevidenceto negate unlawful processing under Article 17.1 (d) GDPR. The samealso goes for proving exceptions from the right to erasure laid down in Article 17. 3 GDPR (see below). On the other hand, the Fundamental Rights Agency states that, upon the data subject’s request for erasure, it is just the responsibility of the controller to indicate the lawfulness of the processing.
Against this background, indeed, Article 17.3 GDPR provides several exemptions to the right to the erasure, including when the processing for personal data is necessary for:
- Exercising the right of freedom of expression and information;
- Compliance with a legal obligation which requires processing by the EU or Member States’ law to which the controller is bound, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Reasons of public interest in the area of public health;
- Archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- The establishment exercise or defence of legal claims.
Focusing on the limitation set to the right to erasure when its exercise would render impossible or impair achievement of research purposes, Ducato outlines that such a limitation […] is justified in the light of the specific needs of the research context: erasure of whole or part of the data used for a study, even where technically possible, would risk undermining the scientific validity of research by preventing verification of its results and the peer-review process.The restriction, the author reports, is thus apparently limited to studies that are already concluded, given that the failure to commence the research and the following exercise of the right to erasure would not affect the research objectives.
Checklist for complying with an erasure request:
Is the exercise of the right to erasure compliant with the GDPR?
☐ Did you receive an erasure request from a legal entity? If yes, please indicate that the request was not lodged by an individual;
☐ Have the individuals correctly identified themselves? If not, please ask for further information to confirm identity;
☐ Does the request fall within one of the scenarios laid down in Article 17.1 GDPR? If not, please inform and explain to the data subject that the request shall be denied;
☐ Does the request satisfy one of the exemptions provided by Article 17.3 GDPR? If yes, please inform and explain to the data subject that the request shall be denied;
☐ Can the request be fulfilled within one month? If not, please inform why and how long will it take to process the request.
☐ The request needs to be fulfilled.
How to further comply with all the GDPR obligations:
☐ Make data unusable in a way that prevents you and any other party from (re-)accessing and (re-)processing the data;
☐ Communicate the erasure to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort;
1P. Voigt & A. von dem Bussche, op. cit., p. 161 ↑
2Ibid., p. 161 ↑
3This standard was developed by the DIN, which is the abbreviation for the German Institute for Standardization. For further information, see: https://din66399.de ↑
4P. Voigt & A. von demBussche, op. cit., p. 159 ↑
5Fundamental Rights Agency (ed.), op. cit., p. 223 ↑
6R. Ducato, op. cit., p. 6 ↑