What is the right to be forgotten in practice?


The Regulation on the Protection of Personal Data (GDPR) establishes in its content many rights for natural persons whose data is processed. One of such rights is the so-called the right to be forgotten. What is it about? Let's check.

What is the right to be forgotten?

The right to be forgotten is defined in Art. 17 GDPR and consists in the fact that the data subject has the right to:

  • requests from the administrator to immediately delete personal data concerning him;
  • requests that the data controller informs other data controllers to whom he has made the personal data public, that the data subject requires these controllers to remove all links to these data or their copies.

As a result of submitting a request to delete personal data, the administrator is obliged to delete personal data without undue delay. The administrator must take appropriate technical and organizational measures to completely delete the data of the person who exercises the right to be forgotten.

In order to consider that someone's personal data has been completely deleted, it must be deleted from all places where it appeared, i.e. from, among others:

  • server,
  • mail,
  • Word and Excel files,
  • external and portable drives,
  • paper copies.

This applies to all copies, links, references.

It should be borne in mind that there is no need to use data, disclose or disseminate in order to be able to effectively declare the right to be forgotten, because the mere storage of personal data is an operation that allows you to submit a data erasure request.

For the administrator to perform the obligations consisting in the fulfillment of the above-mentioned of the requests, it is necessary to know to whom, during the cooperation, the processing of the data of the person who is applying for the right to be forgotten was transferred. This awareness is necessary because the administrator must send these entities a message so that they also remove the data of the person submitting this request.

Is the controller always obliged to delete personal data at the request of the data subject?

The obligation to delete data at the request of the data subject arises when one of the following circumstances occurs:

  • personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • the data subject has withdrawn consent to the processing of personal data and there is no other basis for data processing;
  • the data subject has objected to the processing of their data due to their special situation or to the processing of data for marketing purposes;
  • the personal data have been processed "unlawfully";
  • personal data "must be removed in order to comply with a legal obligation provided for in Union law or the law of the Member State to which the controller is subject";
  • the personal data was collected in relation to offering information society services directly to the child.

However, it should be emphasized that despite the request, the administrator is not always obliged to delete the data. Among the cases limiting the right to be forgotten, the following deserve special attention:

  • exercising the right to freedom of expression and information (this mainly applies to journalistic activity);
  • the existence of a legal provision that requires the processing of personal data;
  • a situation where data processing is necessary to establish, assert or defend claims.

An example here may be, for example, an employer who is obliged to collect employee documentation for 50 or 10 years, or an online seller who, despite the buyer's request to delete his data, will have to store data, such as name, surname, delivery address or contact details, because they may be used, among others when exercising his warranty right or to protect the seller against possible future claims.

Another example may be a situation when, for example, a customer ordered a product through an online store - he received the product but did not pay for it, and then asked the administrator to delete his data. In this situation, the administrator also has the right to further process the data of this client, because it will be necessary for him to prove his claims in court.

Only when the grounds for data processing cease to exist, the controller will have to remove it from all the above-mentioned places.

Start a free 30-day trial period with no strings attached!

What is and when should the obligation to rectify data be performed?

Attention should also be paid to another obligation of administrators, specified in Art. 16 GDPR. In the light of this article, controllers are required to take all reasonable steps to ensure that personal data that is incorrect in the light of the purposes of their processing are immediately removed or corrected (the so-called principle of truthfulness). The discussed principle requires that the data be correct and truthful. In this situation, the update of the data or its supplementation is carried out as a result of an appropriate request / notification of the data subject. In order to fulfill these obligations, administrators can therefore provide forms or specimen declarations on the change of such data.

After the administrator takes actions to remove or rectify personal data, the administrator is also obliged to inform each recipient to whom personal data has been disclosed about the actions taken. However, the controller does not have to fulfill this obligation if it proves impossible or if it would require excessive effort.