Do I have to delete the personal data my organisation holds about an individual if they ask me to do so?
Do I have to delete the personal data my organisation holds about an individual if they ask me to do so? The short answer is, not necessarily.
Under the UK General Data Protection Regulation (UK GDPR), an individual has the right to ask an organisation to erase their personal data. This right is also known as the ‘right to be forgotten’.
However, this right is not an absolute right – it can only be exercised if certain circumstances apply, which includes the following:
- The organisation no longer needs the personal data for the purposes for which it was originally collected or used.
- The organisation is relying on consent as the lawful basis for processing the personal data and the individual withdraws their consent.
- The organisation is relying on legitimate interests as the lawful basis for processing the personal data, the individual objects to the processing and there are no overriding legitimate grounds to continue the processing.
- The organisation is processing personal data for direct marketing purposes and the individual objects to that processing.
- The personal data has been unlawfully processed.
- The personal data has to be erased to comply with a legal obligation.
However, there are exemptions to the above, including where processing of the personal data is necessary to enable an organisation to comply with a legal obligation or is necessary for legal claims.
If an exemption applies, an organisation can either fully or partly refuse to comply with the individual’s erasure request. If it decides not to erase all of the personal data, then the organisation must reply to the individual without undue delay, and within one month of receiving the request, and explain the reasons for the decision and that the individual has the right to complain about the decision to the Information Commissioner’s Office or through the courts. As with subject access requests, an organisation can also refuse to comply with an erasure request if it is “manifestly unfounded or excessive”
It is important therefore for organisations to consider any request to erase personal data carefully and on its own facts as there is no ‘one size fits all’ approach.
If an organisation erases an individual’s personal data (in whole or part), then it must inform other data controllers with whom it has shared the erased personal data about the erasure, unless it would be impossible to do so or doing so would involve disproportionate effort. In addition, if the individual’s personal data has been made public online, for example on social media or on a website, then the organisation is required to take reasonable steps to inform those with responsibility for the sites to erase links to or copies of the erased personal data.
__________________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
