Table of Contents
With the advent of the internet and digital technologies, the concept of privacy has become more critical than ever. To address these concerns, the General Data Protection Regulation (GDPR) empowers individuals to control their personal data and introduces the “right to be forgotten”. This allows individuals to request erasure of their data from data controllers. However, it poses challenges for UK businesses. This article will explore when your company should act upon an individual’s right to be forgotten to ensure your business avoids breaching the GDPR.
What Is the ‘Right to Be Forgotten’?
UK law grants individuals the right to request that organisations erase their personal data without undue delay. This “right to be forgotten” is applied if the data is no longer needed, inaccurate, or processed illegally. The right remains in effect after Brexit and applies to all EU member states.
The right to be forgotten is not absolute, and exceptions exist. For example, your business has the right to retain personal information if it is necessary for legal compliance, regulations, or defending itself in a legal claim.
The right to be forgotten only applies to searchable data accessible through search engines. This means your business is not legally obligated to erase personal data stored internally that is not publicly searchable.
When Should Your UK Business Act Upon an Individual’s Right to Be Forgotten?
In certain situations, a UK business must comply with an individual’s right to be forgotten. Failing to do this could be a breach of the GDPR or the Data Protection Act. With this in mind, let us explore some examples below.
1. No Longer Necessary
Under the UK GDPR, personal data must be kept for no longer than necessary for the purposes for which it is processed. If a business no longer requires an individual’s personal data for its intended purpose, the individual has the right to request the erasure of their personal data.
For example, suppose a customer has closed their account with a business and no longer requires their services. In this case, the company should erase their personal data upon request.
2. Inaccuracy
If the personal information is inaccurate, incomplete or out-of-date, the individual has the right to request the erasure or correction of their personal data.
Your business should ensure that the personal data it holds is accurate and up-to-date. Upon receiving a request to erase inaccurate personal data, your company must take the following actions:
- erase the inaccurate information; and
- verify and ensure the accuracy of any corrected data.
3. Unlawful Processing
If personal information is unlawfully processed, the individual has the right to request the erasure of their personal data.
Processing personal data without the individual’s consent and using it for illegitimate reasons or beyond the purpose of collection constitutes unlawful processing.
To ensure lawful processing, your business must actively verify consent and only use personal information for legitimate and originally intended purposes. If processing is found unlawful, take immediate steps to erase the data.
4. Irrelevance
If personal information is no longer relevant to the purpose for which it was collected, such as direct marketing purposes, the data subject has the right to request the erasure of this data.
For example, suppose your business collected personal information for a marketing campaign that has ended. In this case, the individual has the right to request the erasure of their personal data.
5. Objection
Upon receiving an objection to processing personal data, you must assess whether it is necessary for the intended purpose.
If it is not necessary, your company should erase their data. In some cases, your business can legally retain the data and refuse to process personal information. For example, this includes situations involving legal or regulatory compliance or existing legal action.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Happens if My Company Unlawfully Refuses to Delete Data?
Failing to comply with the right to be forgotten can have severe consequences for UK businesses.
For example, non-compliance with the GDPR can result in a fine from the Information Commissioner’s Office (ICO).
In addition, your company can face reputational damage if it fails to comply with the right to be forgotten. Individuals may also take legal action against your business, with time, stress and cost implications.
This Website Privacy Notice states how a business will deal with the personal information of its users.
Key Takeaways
The right to be forgotten is an important legal right that allows individuals to protect their privacy. This is ensured by allowing requests for the erasure of their personal data by UK organisations. Your business should act upon an individual’s right to be forgotten in certain situations. For example, when the personal data is no longer necessary, inaccurate or unlawfully processed.
Failing to comply with the right to be forgotten can have severe consequences for your business. These include ICO fines and reputational damage. Upon receipt of a complex right-to-be-forgotten request, you should consider expert legal advice. This way, you can ensure GDPR compliance and avoid GDPR fines.
If you need help processing personal data deletion requests, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
