Article 17 and 18 of the GDPR constitute of the Right to Erasure (more popularly known as the right to be forgotten) and the Right to restriction of processing. So when does one request/action one or the other? What are the differences?
Let’s start with a brief understanding of these articles, simply from a legal perspective. Then we will follow with the real world. What is the difference for average joe, how can regular companies apply and comply.
THE LEGAL WORLD
Right to Erasure / to be forgotten may be requested by a data subject under the following circumstances:
- If the personal data is no longer necessary for the purpose it was collected.
- If the processing is based on consent, and the data subject withdraws that consent
- If the processing is based on legitimate interest, the data subject objects to the processing and the controller is unable to demonstrate that it’s legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.
- If the processing is unlawful.
- If the personal data must be erased for compliance with EU or member state law.
- If the consent was given when the data subject was a child (either by the child or by a legal guardian); the consent may then be withdrawn.
In which case the controller needs to CEASE all processing and DELETE the PERSONAL DATA.
A complication arises when the controller has made the personal data public (could be as part of the service they offer). In such cases the ‘Original Controller’ must take reasonable steps ‘to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data’.
This means that when the data has been shared the controller only has an obligation to inform but has no obligation or power to do anything else about it.
Exceptions to the right to erasure / right to be forgotten:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject.
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
- for the establishment, exercise or defence of legal claims.
Restriction of processing (Art 18) – Allows for personal data to continue being stored without being further processed. Restriction provides an alternative to erasure in circumstances where storing the personal data is
- legally required,
- ensures the protections of another person’s rights or
- is in the public interest.
Restriction of processing may be requested for the following reasons:
- Accuracy of data is being contested and controller needs time to verify identity or accuracy.
- The processing is unlawful but data subject prefers restriction over erasure.
- Controller no longer needs the personal data but data subject needs it for legal reasons.
- Data subject objects to the processing and controller needs time to establish legitimate grounds.
THE REAL WORLD
What we just read means that first and foremost, these rights are not absolute and as citizens, come the 25th of May we shouldn’t simply start demanding our rights to every company we’ve ever been in touch with left, right and centre. As companies, the same applies. When a request comes in, evaluate if the citizen is within his/her rights and where not guide them accordingly.
Right to erasure
|If the personal data is no longer necessary for the purpose it was collected||In a previous post I provided several examples of this.|
|If the processing is based on consent, and the data subject withdraws that consent.||All the data we provide to and is processed by Facebook for example is being done so based on consent, or should I say SHOULD BE based on consent.|
|If the processing is based on legitimate interest, the data subject objects to the processing and the controller is unable to demonstrate that it’s legitimate interest overrides the interests or the fundamental rights and freedoms of the data subject.||I’ve got good one for this. I’m sure you’re familiar with these little phone games such as words with friends, angry birds and the such. Now I’m not saying that all of them do, but a number of them collect the location data through the phone while you’re playing, access your contacts and much more. I can see no valid reason for this and I’m sure angry birds would be hard pressed to explain why it needs my contacts list.|
|If the processing is unlawful.||If for example the processing breaks other laws, perhaps industry specific or breaches a contract.|
|If the personal data must be erased for compliance with EU or member state law.||Erasure is imposed by other laws, these could be industry specific, generic laws and not even related to privacy per se.|
|If the consent was given when the data subject was a child (either by the child or by a legal guardian); the consent may then be withdrawn.||For example your parents gave your personal details as a child to the local drama group for kids that you attended when you were 5 years old, or more realistically your parents put up pictures of you on a social media platform to which you now object.|
As for companies, after determining that, yes, the data subject is within their rights to request erasure how do they achieve this?
- Anonymization (Remember anonymous data does not fall under the control of GDPR)
RESTRICTION OF PROCESSING
|Accuracy of data is being contested and controller needs time to verify identity or accuracy.||If I discover that a company providing me a service has been sending correspondence to an old address, when I phone the company to request rectification, the company needs to verify that I am who I say I am. This may require some time. In the meantime, the processing should be restricted so that no further correspondence is sent to the address they have on file until such time the matter is cleared up.|
|The processing is unlawful but data subject prefers restriction over erasure.||I really cannot come up with a scenario for this one. If there are any privacy experts out there, your help would be appreciated. I assume that this could come into play when there is a breach of contract which still serves it’s purpose such as an employment contract , however don’t take my word for this one.|
|Controller no longer needs the personal data but data subject needs it for legal reasons.||(Warning: this is an extreme scenario, I am not advocating that you all start suing doctors) My smart watch company, whose watch I no longer use, has all my heart monitoring data for 2015. The company no longer needs that data, however I need that data in order to sue my doctor for not catching a medical complication when the data was presented to him/her.|
|Data subject objects to the processing and controller needs time to establish legitimate grounds.||This is basically when there is a dispute between lawyers or courts as it is not clear whether legitimate grounds exist. However until such dispute exists the data cannot be processed.|
As for companies, restriction of processing may be achieved through:
- Making the personal data temporarily unavailable
- Noting the restriction in the system
- Moving the data to a separate system.
- Temporarily blocking a website
- Using the data under narrow conditions
Would you like be notified when new posts come out? Drop us a note via the contact us section and we’ll add you to our mailing list.