Individuals whose personal data are processed have the right, subject to the legal requirements in Art. 17 of the United Kingdom General Data Protection Regulation (UK GDPR), to request from the data controller that personal data concerning them be erased without undue delay. This right also includes the “right to be forgotten” when processing published personal data. For companies, the question arises as to when and to what extent personal data must be deleted and what requirements must be met to ensure the right to be forgotten.
What does deletion mean within the meaning of the UK GDPR?
Conceptually, it is important that the deletion of data means the irretrievable destruction of data. Here, all formats of data are meant, whether electronic or in paper form. Deleting electronic data is not usually done by simply moving it to the waste paper basket, but by overwriting the data records (several times). Software tools can be used here. Shredders should be used for analogue data. Alternatively, it is possible to have the destruction carried out by a qualified service provider. This requires a corresponding contractual obligation on the part of the service provider to prevent misuse (see also our template for a data processing agreement).
The deletion includes all information systems of the data controller, including any archives or backups. Caution is always called for! In practice, deletion from archives or backups raises follow-up questions. This is because long-term archiving is often based on a specific purpose (see the practical example below).
When is there a right to deletion according to the UK GDPR?
The right to erasure is given if the data controller is obliged to delete personal data. The right only applies to the personal data held by a controller at the time the data subject´s request is made. It does not apply to personal data from the data subject which may only be created in the future. The requirement to delete personal data arises directly from Art. 17 (1) a) – f) UK GDPR. Controllers are obligated to delete data if requested in the following circumstances:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- The processing is based on the legal basis of consent, and the data subject withdraws said consent and there is no other legal basis available.
- The processing concerns special categories of personal data and is based on the legal basis of consent, the data subject withdraws said consent and there is no other legal basis available.
- The data subject objects to the processing and there are no overriding legitimate interests for the processing.
- The data subject objects to processing for direct marketing purposes.
- The personal data was unlawfully processed.
- The personal data was to have been deleted for compliance with a legal obligation under domestic law anyway.
- The personal data was collected in relation to the offer of information society services (e.g. online game, search engine).
The data subject can always request deletion if either there is no longer a legal basis for the processing (i.e. it has subsequently ceased to exist) or there was never a legal basis for the processing. This is because the processing of personal data is generally prohibited unless there is a legal authorisation (legal basis). It can be deduced from this that the right to erasure is the necessary consequence and legal consequence of the principle of lawfulness of processing from Art. 5(1) (a) UK GDPR.
Ideally, personal data should be deleted autonomously and proactively by the data controller. Because if there is no (longer) a legal basis for the processing, the permission to continue storing the data also ceases to apply.
Two cases can be distinguished here:
- The legal basis ceases to exist through an active action by the data subject, for example through the revocation of consent or the justified objection to processing. The legal consequence is that in these cases there is no longer a legal basis. Further storage, which is processing within the meaning of the GDPR, constitutes unlawful further processing.
- In the other case, the legal basis ceases to exist purely factually and without any action on the part of the data subject. For example, through the fulfilment of a contract that originally made the processing necessary. The legal consequence is also the obligation to delete. This also results from the principle of storage limitation from Article 5 (1) (e) UK GDPR.
In practice, the second case in particular causes difficulties for companies. This presupposes that the company independently recognises the end of the purpose and thus the storage that is no longer necessary and proactively realises the deletion.
If the company independently complies with the legal requirements, the obligation to delete is obsolete in the event of a request for deletion, as the company is no longer subject to any obligation. In this case, it is sufficient to inform the data subject that the company does not store any personal data without a legal basis at the time of the request. In practice, the right to erasure is often a direct consequence of the right to information or is asserted together with it as an alternative.
Tip: When a right to erasure is asserted, always question the legal basis according to Art. 6 UK GDPR. Go through the catalogue of all legal bases. What is positively delimited by Art. 6 UK GDPR – when is processing permitted – is equally negatively delimited by Art. 17 UK GDPR – has a legal basis ceased to exist or was there never permission to process?
The right of the data subject to request deletion always results from the failure of the responsible party to fulfil its commitment independently and therefore always aims at the elimination of an unlawful state of affairs!
Practical example: CRM vs. accounting
The storage of customer data in an address database or CRM software is based on a different purpose than a possible long-term archive in which the company also stores the customer data. In this case, the data may be stored longer than in the CRM software due to a legal obligation from applicable tax law.
In the event of a request for deletion by a customer stored in the CRM, the obligation to delete may arise from the discontinuation of the purpose for processing if the business contact has come to a standstill and there is no other legal basis such as (advertising) consent for longer storage. However, this does not imply deletion of the personal data for the purpose of fulfilling accounting obligations in the context of invoicing.
For business practice, the decisive difference is that if data is deleted from the customer database in good time, it can no longer be processed by employees for other purposes. The purpose of the deletion is to make it impossible to use this data for further processing that is not covered by the original legal basis and is therefore illegal.
This example underlines the importance of assessing the lawfulness of processing activities individually based on the underlying purpose. Often, there is no added value for companies to retain personal data because they are no longer allowed to process it (further) anyway.
What does the right to erasure cover?
If the claim for deletion exists, the subsequent question arises as to the scope of the claim for deletion. The claim contains both temporal and quantitative specifications.
With regard to the time requirement, the responsible person must comply with the deletion without delay. This means that he is called upon to act immediately. The purpose is to eliminate an unlawful situation. As a final limit, the one-month deadline from Art. 12 (3) UK GDPR also applies here, as its text also refers to Art. 17 UK GDPR. The time for processing of the request can be extended by the controller by two months, but the data subject has to be informed of the extension according to the one-month deadline and receive an explanation as to the necessity of the extension.
With regard to the quantitative scope, a distinction must be made between the underlying purposes. Since there must be a separate legal basis for each processing purpose (purpose limitation), the claim includes all personal data for the processing of which the controller does not (or no longer) has a legal basis at the time of the assertion of the right. Since the obligation to erase exists in any case independently of a request for erasure, there is no need for the data subject to specify the claim for erasure.
The request of the data subject “to have all data concerning him deleted”, which is frequently read in practice, is to be interpreted in favour of the data subject as wanting to eliminate an unlawful situation, no matter to what extent it exists. Since only the person responsible can determine this, such statements are sufficient. The standard for the specificity of the request is therefore not high.
The right to be forgotten
The right to erasure also includes the right to be forgotten. In addition to deletion, this applies if the person responsible has made the personal data public. From the point of view of the data subject, this includes cases in which the operators of search engines have to delete links to search results that are displayed via the search for the data subject, as well as cases when, for example, employee data is published by the employer on social media networks.
As a result, the data controller must make every effort to ensure that the data is deleted as far as possible, including from third parties. This right of the data subject to be forgotten is also subject to the requirements of Article 17 (1) UK GDPR. Therefore, the existence of the obligation must first be determined. If such an obligation exists, further efforts are required if the data has been made public.
The special feature here is the permanent obligation of the controller to take appropriate measures to ensure that all other data controllers are informed of the need to delete both links to personal data and copies or other reproductions of personal data of the data subject. Consequently, the right to be forgotten is not remedied with a one-time deletion, but there is an obligation on the controller to ensure deletion on a permanent basis. The right to be forgotten thus takes into account in particular the easy dissemination of data through online services.
Digression: Google and the right to be forgotten
The best-known case on the right to be forgotten is probably the CJEU decision of 13 May 2014 against Google.
In this case, the CJEU had to decide on a data subject’s request to Google to the remove links to reports of a Spanish daily newspaper from 1998, which according to the data subject, disparaged his personality. Google did not carry out the deletion requested by the person concerned having regard to freedom of information and the public’s interest in information. The data subject turned to the Spanish supervisory authority.
Google was obliged by the supervisory authority to delete the links in question. The subsequent lawsuit filed by Google against this decision did not lead to a different result. The general protection of personality was deemed to take precedence over the freedom of information and the public’s interest in information.
Does the right to be forgotten apply to links worldwide?
The right to be forgotten only applies within the EU and in the UK, as only EU and UK data subjects enjoy the right to deletion and subsequent right to be forgotten.
In a ruling of 24 September 2019, the CJEU clarified that Google does not have to delete its search results worldwide if an EU citizen asserts his or her right to be forgotten. The ruling applies equally to UK citizens, having become part of UK law. According to this ruling, the scope of the duty to delete only extends to all states within the EU and to EU citizens, and subsequently to the UK and UK citizens.
However, exceptions to this may apply if the public’s interest in access to search results due to other journalistic rules on data processing outweighs the right of data subjects to respect for private life and to protection of personal data.
Consequence for search engine operators and those affected by this
As part of the implementation of data erasure, operators of search engines such as Google must permanently ensure that users cannot access the corresponding links to non-UK versions of the search engine from the UK and thus no processing of personal data located on these websites can take place. For example, employee images published via social media would have to be deleted by the data controller within the UK at the request of the data subject in such a way that no links to corresponding images are permanently displayed via the use of search engines. The operator of the search engine must then ensure that no links to corresponding pages can be made by accessing non-UK pages.
Conclusion: Integrate deletion obligations from the start
When it comes to requests from data subjects, companies need to handle them professionally. Besides the right to information, the request for deletion is the request that every company will probably encounter sooner or later. A lax approach at the beginning can turn it into a Sisyphean task in retrospect. Therefore, it is worthwhile to realise the associated tasks in the company in advance. Because if a company only processes personal data in a legally permissible manner, there is no further obligation to delete it.
The following points should be realised in order to implement the deletion obligations in the company:
- Use synergies! An organised overview of the type of data processed, the purpose of the processing and the storage locations as well as the legal retention periods should be kept in the company for the deletion of data in compliance with the UK GDPR and to ensure the right to be forgotten. In the records of processing activities according to Art. 30 UK GDPR, the specification of the deadlines for the deletion of the respective personal data is mandatory.
- It is recommended to create a separate deletion concept for all processing activities carried out in the company. This can then be referred to in the records of processing activities.
- Compliance with the deletion routines must be documented. Companies must be able to provide this proof. This is required by the accountability principle.
- Requests for deletion must be complied with as part of an internal process for responding to data subject requests. In this way, a company demonstrates a professional approach to communicating with data subjects. Since deletion in practice is often linked to a request for information, this process should be established holistically. The Information Commissioner´s Office (ICO) provides practical guidance on how to deal with erasure requests and when they may be refused on the grounds of being manifestly unfounded or excessive.