GDPR – the ‘Right to be Forgotten’
The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It is a complex and wide-ranging piece of legislation but the key points are that the GDPR gives people greater control over how their personal data is used and provides them with the much-publicised ‘right to be forgotten’ (erasure).
The ‘Right to be Forgotten’ states that:
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds apply:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (a) of Article 6 (1), or point (a) of Article 9 (2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 21 (1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8 (1)."
Simply put, the ‘right to be forgotten’ under the GDPR provides individuals with the right to request the erasure of personal data concerning them. Individuals can require data to be erased when there is a problem with the underlying legality of the processing or where they withdraw consent. An individual can also require information to be erased if the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
If the employer has made the personal data public, it also has a duty to take reasonable steps to inform other data controllers that are processing the data that the individual has requested the erasure of the data and any links to or copies of it.
It is worth noting that individuals do not have an unconditional right to be forgotten and the GDPR states certain circumstances in which data controllers do not have to comply with a request for erasure of information. This might be, for instance, where processing of information is necessary for compliance with a legal obligation or defence of a legal claim, such as a potential tribunal claim. However, in these circumstances, the employer must stop processing the data for other purposes not covered by the particular justification.