Skip to content

When Should Your UK Business Act Upon an Individual’s Right to Be Forgotten?

Table of Contents

With the advent of the internet and digital technologies, the concept of privacy has become more critical than ever. To address these concerns, the General Data Protection Regulation (GDPR) empowers individuals to control their personal data and introduces the “right to be forgotten”. This allows individuals to request erasure of their data from data controllers. However, it poses challenges for UK businesses. This article will explore when your company should act upon an individual’s right to be forgotten to ensure your business avoids breaching the GDPR.

What Is the ‘Right to Be Forgotten’?

UK law grants individuals the right to request that organisations erase their personal data without undue delay. This “right to be forgotten” is applied if the data is no longer needed, inaccurate, or processed illegally. The right remains in effect after Brexit and applies to all EU member states.

The right to be forgotten is not absolute, and exceptions exist. For example, your business has the right to retain personal information if it is necessary for legal compliance, regulations, or defending itself in a legal claim.

The right to be forgotten only applies to searchable data accessible through search engines. This means your business is not legally obligated to erase personal data stored internally that is not publicly searchable.

When Should Your UK Business Act Upon an Individual’s Right to Be Forgotten?

In certain situations, a UK business must comply with an individual’s right to be forgotten. Failing to do this could be a breach of the GDPR or the Data Protection Act. With this in mind, let us explore some examples below.

1. No Longer Necessary

Under the UK GDPR, personal data must be kept for no longer than necessary for the purposes for which it is processed. If a business no longer requires an individual’s personal data for its intended purpose, the individual has the right to request the erasure of their personal data.

For example, suppose a customer has closed their account with a business and no longer requires their services. In this case,  the company should erase their personal data upon request.

2. Inaccuracy

If the personal information is inaccurate, incomplete or out-of-date, the individual has the right to request the erasure or correction of their personal data.

Your business should ensure that the personal data it holds is accurate and up-to-date. Upon receiving a request to erase inaccurate personal data, your company must take the following actions:

  • erase the inaccurate information; and
  • verify and ensure the accuracy of any corrected data.

3. Unlawful Processing

If personal information is unlawfully processed, the individual has the right to request the erasure of their personal data.

Processing personal data without the individual’s consent and using it for illegitimate reasons or beyond the purpose of collection constitutes unlawful processing.

To ensure lawful processing, your business must actively verify consent and only use personal information for legitimate and originally intended purposes. If processing is found unlawful, take immediate steps to erase the data.

4. Irrelevance 

If personal information is no longer relevant to the purpose for which it was collected, such as direct marketing purposes, the data subject has the right to request the erasure of this data.  

For example, suppose your business collected personal information for a marketing campaign that has ended. In this case, the individual has the right to request the erasure of their personal data.

5. Objection

Upon receiving an objection to processing personal data, you must assess whether it is necessary for the intended purpose.

If it is not necessary, your company should erase their data. In some cases, your business can legally retain the data and refuse to process personal information. For example, this includes situations involving legal or regulatory compliance or existing legal action.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Happens if My Company Unlawfully Refuses to Delete Data?

Failing to comply with the right to be forgotten can have severe consequences for UK businesses.  

For example, non-compliance with the GDPR can result in a fine from the Information Commissioner’s Office (ICO).

In addition, your company can face reputational damage if it fails to comply with the right to be forgotten. Individuals may also take legal action against your business, with time, stress and cost implications.

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now

Key Takeaways

The right to be forgotten is an important legal right that allows individuals to protect their privacy. This is ensured by allowing requests for the erasure of their personal data by UK organisations. Your business should act upon an individual’s right to be forgotten in certain situations. For example, when the personal data is no longer necessary, inaccurate or unlawfully processed.

Failing to comply with the right to be forgotten can have severe consequences for your business. These include ICO fines and reputational damage. Upon receipt of a complex right-to-be-forgotten request, you should consider expert legal advice. This way, you can ensure GDPR compliance and avoid GDPR fines. 

If you need help processing personal data deletion requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Register for our free webinars

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards