The right to be forgotten is added, through the GDPR, to what existed until now as the right to erasure. As the name says, the right to erasure means a user can request a controller to erase all their data. The controller shall have the obligation to comply:

  • if the data is no longer required for the purposes it was originally acquired for,
  • if the data subject has withdrawn his consent and there is no other legal ground for processing,
  • if the data subject has objected to the processes and there is no legal ground to override this right
  • If erasure is required to fulfill a statutory obligation under the EU or Member State law.

Furthermore, through the right to be forgotten, a new provision is added. If the controller made the data public, he must take steps to inform all the data controllers and processors of the erasure request.

Before an erasure request can be accepted, the identity of the data subject should be proven in suitable way. As a result, if any uncertainty exists at the time of the request, the controller can ask the data subject to prove his/her identity. If all factors are met, the controller has the obligation to erase the data without undue delay. In this case, undue delay means that the data subject should be informed of the decision within one month from his request or the reasons for the refusal.

One should remember that the right to be forgotten is not always guaranteed. When it collides with the right to freedom and expression, it may be limited. Other cases when this right does not apply include when the data is necessary to comply with legal obligations, for archiving purposes in the public interest, for scientific, research or statistical purposes.

Articles: 17, 19

Recitals: 39,65,66.