UK GDPR – the ‘Right to be Forgotten’
Under the UK GDPR, individuals have control over how their personal data is used and have, in particular, the right to have their personal data erased, also known as the ‘right to be forgotten’.
The ‘Right to be Forgotten’ applies if:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent to process data and there is no other legal ground for the processing;
- the personal data has been unlawfully processed; or
- the personal data has been processed for direct marketing purposes and the individual objects to that processing.
The UK GDPR specifies two circumstances where employers should tell other organisations about the erasure of personal data, namely when:
- the personal data has been disclosed to others; or
- the personal data has been made public in an online environment.
It’s worth noting that the right to be forgotten does not apply if processing is necessary for one of these reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes;
- for the establishment, exercise or defence of legal claims.