Right to erasure

In certain cases, the data subject has the right to have the controller erase all data concerning him or her without undue delay. This right is also known as the right to be forgotten.

This right does not apply if the processing of the data is necessary

  • for exercising the right of freedom of expression and information
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the objectives of that processing or
  • for the establishment, exercise or defence of legal claims.

In cases other than the above, the controller is obligated to erase the personal data without undue delay if

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed
  • the data subject withdraws the consent on which the processing was based and there is no other legal basis for the processing
  • the data subject objects to the processing of his or her data for purposes of direct marketing or otherwise exercises the data subject's right to object and there is no other justified reason for the processing;
  • the personal data has been processed unlawfully
  • the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject or
  • the personal data has been collected in connection with offering information society services.

How quickly is the controller required to reply to the data subject’s request?

The controller must respond to the data subject without undue delay and not later than in one month from receiving the request. In the reply, the controller shall indicate the measures it has taken due to the request.

If the requests are numerous or complex, the controller can reply that it needs more time to process them. In such cases, the deadline can be extended by a maximum of two months. Justifications must be provided for the extension.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Is it possible to charge a fee from the data subject?

As a rule, the exercise of rights is free of charge.

If the data subject’s requests for erasure are manifestly unfounded or excessive, the controller can either charge a reasonable fee from the data subject or refuse the request.

Requests can be considered manifestly unfounded or excessive particularly if they are made repeatedly. The controller bears the burden of demonstrating the manifestly unfounded or excessive nature of the request.

The administrative costs of supplying the information or messages or carrying out the requested measure must be taken into account when determining the amount of possible fee.

Can the request be refused?

The controller evaluates whether or not the conditions for erasure are met. If the controller finds that the right to erasure does not apply, it is entitled to refuse the request, and the data subject can then refer the matter to the Data Protection Ombudsman.

If the data subject’s requests are manifestly unfounded or excessive, the controller can either refuse the request or charge a reasonable fee for fulfilling it.

If the controller refuses the data subject's request, it must notify the data subject of this within one month of receiving the request. The refusal must be justified to the data subject. In addition, the controller must also inform the data subject of the possibility of lodging a complaint with the supervisory authority and the availability of judicial remedies.

Inform recipients of the erasure of personal data

Where viable, the controller must inform each recipient to whom the personal data has been disclosed of the erasure of the personal data. The controller is required to notify the data subject of these recipients if so requested by the data subject.

If the controller has made the personal data public and is obliged to erase the personal data at the data subject's request, it shall take reasonable steps to inform controllers which are processing the personal data that the data subject has requested such controllers to erase any links to the personal data or copies thereof. Such reasonable steps include technical measures, among others. The available technology and costs of the measures are taken into account in the evaluation of this obligation.

Confirming the identity of the data subject

The controller must be able to confirm the identity of the data subject exercising his or her data protection rights. If the controller has reasonable doubts concerning the identity of the person who made the request, it can request the provision of additional information necessary to confirm his or her identity.

The GDPR does not provide for the methods of confirming the data subject’s identity. Many controllers already have suitable procedures in place. For example, the controller may have verified the data subject's identity before entering into the agreement or obtaining consent for the processing. This personal data can then be used to confirm the data subject's identity also in connection with fulfilling the rights of the data subject.

If the controller requests additional information for confirming the data subject’s identity, this may not cause unreasonable demands or the collection of personal data that is not relevant or necessary.

If the controller is unable to identify the data subject, it must notify him or her of this if viable.

If the controller refuses the data subject’s request due to not being able to identify the data subject, it must demonstrate that it is unable to confirm the identity of the data subject.

If the data subject cannot be identified, he or she cannot exercise the right

  • of access to data
  • to rectification of data
  • to erasure of data
  • to restrict the processing of data or
  • to data portability.

The data subject can provide additional information for the purposes of identification, however.

When is confirming the data subject's identity not necessary?

Personal data may be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of processing.

If the personal data that permit the identification of the data subject is not necessary for the purpose of processing, the GDPR does not obligate controllers to keep, obtain or process such additional data solely for the purpose of compliance with the GDPR.

Read more:

GDPR: Articles 12, 17 and 19