The General Data Protection Regulation (GDPR) gives individuals the right to ask for their data to be deleted and organisations do have an obligation to do so, except in the following cases:
- the personal data your company/organisation holds is needed to exercise the right of freedom of expression;
- there is a legal obligation to keep that data;
- for reasons of public interest (for example public health, scientific, statistical or historical research purposes).
If your company/organisation processed data unlawfully it must delete it. In the case of an individual, data collected when they were still a minor must be deleted.
With regard to the right to be forgotten online, organisations are expected to take reasonable steps (for example technical measures) to inform other websites that a particular individual has requested the erasure of their personal data.
Data can also be kept if it has undergone an appropriate process of anonymisation.
Data do not have to be deleted
Your company/organisation runs an online newspaper. One of your journalists publishes a story on how a politician had laundered money in off-shore banks. The politician requests to remove the story because his personal data is being processed. Since the personal data is used to exercise the right of freedom of expression, your company/organisation is, in principle, not obliged to delete such data. However, this will depend on the national legislation in place.
Data have to be deleted
Your company/organisation runs a social media platform. A minor uploads photos; however, some years later he decides that the said photos are potentially harming his career prospects. Since the individual was a minor at the time of uploading, you’re obliged to delete the said photos. Furthermore, if the photos have been processed on other websites, your company/organisation must take reasonable steps to inform them that a request to delete the photos was filed.
- Article 17 and Recitals (65) and(66) of the GDPR
- Article 29 Working Party Guidelines on the implementation of the Court of Justice of the European Union judgment on ‘Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González’ c-131/121 (WP 225)