What is right to be forgotten?
GDPR’s Right to Be Forgotten grants individuals the power to request the erasure of their personal data held by organizations. It empowers individuals to have control over their online presence and ensures that their personal information is not stored indefinitely without their consent.
What does it mean for businesses?
For businesses, the Right to Be Forgotten entails certain obligations and responsibilities. When an individual exercises their right, a business is required to delete or erase the personal data related to that individual, without undue delay. This obligation extends not only to the business itself but also to any third parties that have received or processed the data.
How does it work?
When an individual submits a request for the Right to Be Forgotten, the business must carefully review the request and verify the identity of the requester to avoid unauthorized deletion of data. The request can be made in writing, through an online form, or by any other means provided by the business.
However, it’s important to note that the right is not absolute. Businesses may refuse to comply with a request under certain circumstances, such as when the data is required for legal purposes, exercising the right to freedom of expression, public interest, archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes.
What data is subject to erasure?
The Right to Be Forgotten applies to personal data that is no longer necessary for the purposes for which it was originally collected or processed. Additionally, if the individual withdraws consent, objects to the processing, or if the data was unlawfully processed, the personal data must be erased. Additionally, if the business has made the data public, it must also take reasonable steps to inform other organizations to erase any links or copies of the data. This responsibility falls on the organization, not the user requesting the right to be forgotten.
To comply with the Right to Be Forgotten, businesses should have robust data management practices in place. This includes implementing appropriate technical and organizational measures to ensure the secure deletion of personal data upon request. They must also maintain records of right to be forgotten requests for compliance purposes.
Furthermore, businesses should provide clear and easily accessible information on how individuals can exercise their Right to Be Forgotten. This information should be prominently displayed on their website or other communication channels.
Non-compliance and penalties
Non-compliance with the Right to Be Forgotten can result in significant penalties. Depending on the nature and severity of the violation, businesses may face fines of up to €20 million or 4% of their global annual turnover, whichever is higher.
In summary, GDPR’s Right to Be Forgotten is a vital right that allows individuals to have greater control over their personal data. Businesses must understand their obligations under this provision and implement the necessary measures to comply with erasure requests while safeguarding the rights and interests of individuals.