top of page

Navigating the Nuances: Understanding the ‘Right to Be Forgotten’ under GDPR

Updated: Apr 11

Introduction: In the intricate framework of General Data Protection Regulation (GDPR), the concept of the 'Right to be Forgotten' or the ‘Right to Erasure’ (Articles 17 & 19) emerges as a crucial point of discussion.

It embodies a person’s right to have their data deleted or removed by the data controller under specific circumstances, marking a significant step toward personal data autonomy and protection. Let’s unravel the nuances of this principle and its implications for individuals and organisations.

The Essence of the Right to be Forgotten

The ‘Right to be Forgotten’ manifests when personal data is no longer indispensable in association with the purpose for which it was originally processed. Here are the circumstances under which an individual can exercise this right:

  1. Irrelevance of Data: When the personal data is no longer relevant to the original purposes for which they were collected or processed.

  2. Withdrawal of Consent: When an individual withdraws consent to process their data and there is no other lawful ground to continue processing.

  3. Unlawful Processing: If the personal data have been processed unlawfully.

  4. Legal Obligations: If erasing the data is a requirement to comply with a legal obligation.

  5. Direct Marketing Objections: When individuals object to the processing of their data for direct marketing purposes.

  6. Child Data: When the data has been collected in relation to the offer of information society services to a child.

What is a Data Subject

A Data Subject is an identified or identifiable person whose personal data is processed by a data controller or processor. In the context of GDPR, a data subject is usually a natural person whose data is collected and processed, and who has specific rights related to the processing of their personal data, such as the right to access, rectify, erase, and restrict the processing of their data.

A Data Subject Access Request (DSAR) or Data Subject Request is a formal request made by the data subject to the data controller. The request is to exercise their rights under data protection laws, most notably the right to access their personal data being processed, the purposes of the processing, and the parties with whom the data is being shared. This also often includes requests for the rectification or erasure of personal data (i.e. the "right to be forgotten"), especially if the data is inaccurate, outdated, or no longer necessary. Through such requests, data subjects can gain more control over their personal information and how it is handled by organizations.

Obligations of Data Controllers

If an individual’s personal data has been made public and there is a lawful ground to erase the data, the data controller has a meticulous set of obligations to fulfil:

  1. Communication: The controller must communicate any rectification or erasure of personal data to each recipient to whom the data have been disclosed, unless impractical or involving disproportionate effort.

  2. Information on Recipients: If requested, the controller must inform the individual about those recipients.

  3. Reasonable Steps: The controller must take reasonable steps, considering available technology and implementation cost, to inform other controllers processing the individual’s data about the requested erasure of any links to, or copies of, such data.

Exceptions to the Rule

However, this right is not absolute and is inapplicable where processing is indispensable for:

  1. Freedom of Expression and Information: Balancing the right of erasure with the right of freedom of expression and information.

  2. Compliance with Legal Obligations: Fulfilling a legal requirement or a task executed in the public interest or in the exercise of official authority.

  3. Public Health Concerns: Addressing reasons of public interest in the area of public health.

  4. Archiving, Research, and Statistics: For archiving in the public interest, or scientific, historical research, or statistical purposes.

  5. Legal Claims: For the establishment, exercise, or defence of legal claims.

Implications and Considerations

The ‘Right to be Forgotten’ is a formidable component of GDPR, reinforcing individual rights over personal data. However, it coexists with other rights and obligations, creating a delicate balance that necessitates thoughtful consideration and navigation.

Its interpretation and application require a deep understanding of the GDPR framework and a commitment to uphold the values embedded within it, ensuring that the equilibrium between individual rights and organisational obligations, as well as societal interests, is maintained.

In conclusion, this is more than a regulatory requirement. It is a reflection of the evolving relationship between individuals and their data.

It underlines the significance of privacy and autonomy in the digital age and prompts a thoughtful dialogue on how we perceive and manage personal information in an increasingly interconnected world.

Remember, the application of these principles may vary, and seeking advice from a data protection specialist is always recommended when navigating the intricacies of GDPR compliance and data erasure requests.

A Case in Point: Google and the Right to be Forgotten

A notable instance exemplifying the practical implications of theaspect of GDPR is a recent ruling by the Court of Justice of the European Union (CJEU) involving search engine giant, Google.

The case revolved around two managers of a group of investment companies who petitioned Google to de-reference search results, linked to articles critiquing their group’s investment model, asserting the information contained was inaccurate.

The Dispute

In addition to the removal of articles, the managers also requested the elimination of their photos displayed as ‘thumbnails’ from search results, as the original context of the images’ publication was obscured in these searches.

Google rejected these requests, citing the professional context of the articles and photos and contending it could not ascertain the accuracy of the information contained within them.

The Ruling

The CJEU affirmed that search engine operators like Google are mandated to remove information proven to be inaccurate by the concerned individuals.

It emphasized that while the right to protection of personal data is crucial, it is not absolute, and any inaccuracies within referenced content nullify the need to consider the right to freedom of expression and information.

Importantly, individuals asserting the inaccuracy of information are not required to produce a judicial decision against the publisher of the contentious content from the pre-litigation stage, offering a degree of leverage to those pursuing de-referencing requests.

However, the onus is on them to furnish relevant and plausible evidence substantiating their claims of inaccuracy.

The court’s decree highlighted the significant interference caused by the display of personal photos in search results with individuals’ rights to private life and personal data.

It stated that any requests for image removal require a distinct consideration and balancing of competing rights and interests, and the informative value of such photos must be appraised without reference to their original publication context.

Conclusions and Reflections

This ruling underscores the profound implications of the 'Right to be Forgotten' and exemplifies the delicate balance between individual privacy rights and freedom of information.

It serves as a reminder of the need for meticulous adherence to GDPR principles by search engine operators and other data controllers and reinforces the agency of individuals in managing their digital footprints.

In the evolving landscape of data protection, such instances enlighten us on the complexities involved in implementing and interpreting GDPR, underlining the importance of striking a judicious balance between diverse interests and rights in the digital realm.

Whether you are an individual seeking to understand your rights or an organisation navigating data protection obligations, the ramifications of the 'Right to be Forgotten' reverberate across the fabric of digital interactions and information exchange in today’s interconnected world.

9 views0 comments


bottom of page