GDPR Learning Hub

login/sign up
Menu
login/sign up
  • Buy GDPR-courses
  • Learn about the GDPR
  • Download free checklists
  • Take free quizzes
  • Buy GDPR Templates

Article 17 of the GDPR

The Right to Erasure of Personal Data

The right to erasure of personal data means that data subjects can request that a company erase their personal data processed by the company. The data subject’s right to erasure of personal data is also known as the “right to be forgotten”. 

Data subject's right to erasure of personal data under the GDPR

Article 17 of the GDPR states this right. This is one of the eight (8) fundamental rights that data subjects have under the GDPR. 

Anonymize personal data instead of deleting it under the right to erasure of personal data

A company may choose to anonymise the personal data instead of deleting it. The GDPR does not cover anonymized personal data. However, the processing of personal data within the anonymisation process itself is covered by the GDPR. 

Personal data rendered anonymous only becomes ordinary “data”. It is thus no longer “personal data”, as it can no longer be linked to a natural living person. Please note that anonymization and pseudonymization (a form of de-identification) are not the same thing. Pseudonymized personal data are still considered personal data and are covered by the GDPR.

The company shall inform about the deletion to third parties who have gained access to the personal data

When a company deletes personal data at the request of a data subject, the company shall also inform about the erasure. The company shall inform any third parties to whom it has shared the personal data. This is on the condition that it is possible and does not involve too onerous an effort to carry out. 

In addition, the company should inform the data subject that the erasure has been carried out. Furthermore, the data subject has the right to know to which third parties the personal data have been disclosed.

When a company can retain personal data despite if the data subject requests the right to erasure of personal data

There are certain situations where a company does not need to delete personal data, even if the data subject requests it. Here are examples of exceptions from when the right to erasure of personal data does not apply: 

Freedom of expression

As regards the right to freedom of expression; 

Statutory duty

If there is a legal obligation that requires the company to process the personal data in order to comply with the law; 

General interest

Where the processing of personal data is carried out in the public interest; 

Public health

Where the processing of personal data is in the public interest and is related to public health; 

Archiving purposes

When the processing takes place for archiving purposes; 

Legal claims

When the company saves personal data in order to defend a legal claim. 

When a company shall delete the personal data at the request of the data subject

Here are some examples of when a company should delete personal data at the request of the data subject. Please note that this applies provided that none of the above exceptions apply. According to the right to erasure of personal data in the GDPR, the company shall erase the personal data if the:

  • Company no longer needs the personal data for the purpose for which it was collected; 
  • Data subject has given consent which he or she withdraws. This applies if the company has no other legal basis for continuing the processing; 
  • Personal data are processed for direct marketing purposes to which the data subject objects; or 
  • Processing of the personal data is in breach of applicable law. 

Establish internal procedures for erasing personal data correctly in accordance with the GDPR

According to the general rule of GDPR, companies must delete personal data that is no longer necessary. Therefore, companies should regularly delete personal data. It is important to establish internal procedures for erasure and anonymization of personal data. In this way, employees can have guidelines to follow to ensure that GDPR is complied with in this regard. 

For example, the company may set certain predetermined days during the year when the deletion of personal data is to take place. Personal data also exists in many different places. As in emails, documents, accounting material, digital cloud storage and systems, etc. Therefore, it is good to note all repositories in a register. Then the company’s employees can more easily keep track of where personal data is present, and more easily make necessary deletions.

A company that did not delete personal data on request received a reprimand

The Swedish Authority for Privacy Protection (IMY) issued a reprimand to a company. The reason for this was that the company did not delete personal data at the request of a data subject. In addition, the company provided incorrect information to the data subject, claiming that the personal data had been deleted. 

Other data subjects' rights under the GDPR

Right to limitation of processing personal data

According to the GDPR, data subjects have the right to request that the company limits the processing of their personal data. This right applies in certain cases and is often combined with a request for rectification of personal data. When a company shall comply with the right to limitation of processing, the company shall mark the personal data. The purpose of the marking is to ensure that they are processed only for the defined limited purpose.

Want to learn more?

Read more
Scroll to Top