![](https://holtech-digital.solutions/wp-content/uploads/2022/06/image-14.png)
A simple (I hope) explanation of the new GDPR ‘right to erasure’ being enforced on the 25th May 2018.
The phone call/email every company dreads. It’s a client/customer contacting us to ask us for all of their information to be deleted forever.
At the moment, that important client database is the hub of my business, it’s my goto when i need to send out marketing emails, when we need to follow up with sales leads, and resubscribing my ongoing revenue clients. If this database is compromised, that could spell the end of my business!
Well, come the date of May 25th 2018, it will be a legal requirement to comply with these requests.
GDPR states that “A right to be forgotten will be replaced by a more limited ‘right to erasure’ in the version of the GDPR adopted by the European Parliament in March 2014.[20][21] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’.
HOW ON EARTH can i be possibly expected to be able to totally erase a single individual from my entire business? I have CRM records, finance records, marketing emails, email responses, and possibly even paper communication!
The right to be forgotten applies in the following circumstances.
- the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) This is the right to object to the subjects data being used for any purpose
- the personal data has been unlawfully processed.If the subject believes their data has been used in an unlawful manner
- The personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. So if the subjects data has been noted in another situation such as a legal case, or something to do with local jurisdiction
- The personal data has been collected in relation to the offer of information society services referred to in Article 8(1). This is regarding the data of a child below the age of 13.
But there are some exceptional circumstances, if you still require the data in the following circumstances, then you do not need to comply with the erasure request.
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. For example if the data is to be used in a court of law
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3). For example, health records held by a national health service
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; Same as above, but for scientific research
- for the establishment, exercise or defence of legal claims. This is pretty much so that individuals cannot affect legal claims or trials by removing personal data held as evidence.
Now I know this looks like an info sheet, But it’s pretty hard to explain aspects of GDPR without actually quoting it, but this is all information that your data controller needs to know by heart if he/she/they are to perform their role effectively.
The fact of the matter is that when an individual contacts you with a request for erasure in line with GDPR, you need to consider the above points when processing that request.
I am totally open to discussion and questions on any subject I write about, please feel free to write any comments/questions below.