GDPR Right to be Forgotten

The right to be forgotten derives from the case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González (2014). For the first time, the right to be forgotten is codified and to be found in the General Data Protection Regulation (GDPR) in addition to the right to erasure.

The correspondingly-named rule primarily regulates erasure obligations. According to this, personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfil a statutory obligation under the EU law or the right of the Member States. In addition, data must naturally be erased if the processing itself was against the law in the first place.

The controller is therefore on the one hand automatically subject to statutory erasure obligations, and must, on the other hand, comply with the data subject’s right to erasure. The law does not describe how the data must be erased in individual cases. The decisive element is that as a result it is no longer possible to discern personal data without disproportionate effort. It is sufficient if the data media has been physically destroyed, or if the data is permanently over-written using special software.

In addition, the right to be forgotten is found in Art. 17(2) of the GDPR. If the controller has made the personal data public, and if one of the above reasons for erasure exists, he must take reasonable measures, considering the circumstances, to inform all other controllers in data processing that all links to this personal data, as well as copies or replicates of the personal data, must be erased.

An erasure request is not subject to any particular form, and the controller may not require any specific form. However, the identity of the data subject must be proven in a suitable way. If the identity has not been proven, the controller can request additional information or refuse to erase the data. If there is a request or a statutory obligation to erase, this must be executed quickly. This means that the controller has to check the conditions for erasure without undue delay. In the case of an erasure request, the data subject must be informed within one month about the measures taken or the reasons for refusal. The right to be forgotten is reflected a second time in the notification obligation. In addition to erasure, according to Art. 19 of the GDPR the controller must inform all recipients of the data about any rectification or erasure and thereby must use all means available and exhaust all appropriate measures.
The right to be forgotten is not unreservedly guaranteed. It is limited especially when colliding with the right of freedom of expression and information. Other exceptions are if the processing of data which is subject to an erasure request is necessary to comply with legal obligations, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or for the defence of legal claims.