In the past few weeks we have covered three rights individuals will possess under GDPR: the right to be informed, the right to access, and the right to rectification. This week in the GDPR Overview series, we will be covering three more rights: the right to erasure, the right to restrict processing, and the right to object to processing.
First of all, let's find out what these rights actually mean.
The right to erasure is also commonly known as the right to be forgotten. Essentially, it gives individuals the right to ask (in specific situations only) that you erase all their personal data you have stored on them, thus enabling them to be "forgotten."
The right to restrict processing gives individuals some control over how their personal information gets used by your organization. Organizations are permitted to process and store this personal data, however, they are not permitted to use it.
The right to object to processing means that individuals can refuse to have their personal data processed by your organization under certain circumstances.
The right to be forgotten, as stated above, only applies in certain situations. This means individuals cannot simply request the erasure of their personal data for no apparent reason and requires them to have a legitimate reason for wanting to be forgotten.
However, there are quite a few legitimate reasons an individual can provide when submitting a request for erasure. For example, if your organization no longer requires the personal data that was initially collected from the individual, then said individual can request that this information be securely deleted as there is no legitimate purpose for which this data must be retained.
Other potential situations where an individual can legitimately request their data be deleted can include (among others):
- The individual withdraws their consent for the processing of the data (if you are using consent as your sole legal basis for processing).
- The individual objects to the processing of the data and you are relying on the "legitimate interests" legal basis. In this case, you must erase the data if you cannot provide a legitimate interest to supersede the request for erasure.
- If you have processed the data illegally.
- If you must erase the data in order to comply with a legal obligation.
Upon the receipt of an erasure request, under GDPR your organization must respond within a month. However, if the request is long or complex, or if you receive multiple requests from the same individual, you are able to extend the deadline an additional two months, provided you let the requester know within the original month.
There are certain cases in which the right to erasure does not apply. For example, the right of erasure does not apply if the data is being processed in order to exercise the right of freedom of expression and information.
A couple of other situations where the right of erasure would not apply include:
- If the data is being processed in accordance with a legal obligation.
- If the data is being processed to carry out a task in the public interest or with official authority.
- If the data is being processed for archiving purposes in the public interest or statistical/scientific research where erasure would compromise the results.
Also, in the case of special category data (sensitive data such as genetic or some biometric data), the right of erasure will not apply if the processing of that data is necessary for public health purposes or the management of health or social care services. However, this only applies if the data is being processed under the responsibility of a health professional (or someone bound by the legal obligation of confidentiality).
Individuals can request that their data be restricted under certain conditions. Under GDPR, when data processing is restricted or suppressed, organizations are permitted to store the individual's personal data but they cannot use it.
Individuals must have a particular reason for wanting their data restricted. They cannot ask that you restrict the use of their data simply "because." For example, the individual may want their data restricted because they contest the content of the data the organization has collected or stored.
Individuals have the right to ask for an organization to restrict the processing of their personal data when the data has been processed illegally; when the data is no longer required by the organization but may still be needed to substantiate a legal claim; or if the individual has submitted a request for rectification that has yet to be fulfilled, among other kinds of requests.
When a request comes in from an individual (either verbal or in writing) to restrict the processing of their data, an organization has one month to comply with the request but can extend this for two more months if the request is lengthy or complex. The organization must inform the individual within the original month with regard to the extension requirement.
In regard to restricting the processing of personal data, in many cases, this will only be a temporary act necessary while a rectification, erasure, or objection request is being considered by your organization. Often data restriction serves as an alternative to full data erasure, especially in the case where the data may not be needed by the organization anymore, but it should still be stored in case it is needed in the defense of a legal claim. Before a restriction is lifted, however, it is imperative that you inform the individual before doing so and let them know they have the right to lodge a complaint to a supervisory authority and can seek judicial remedies in the event they are not satisfied with your decision.
Objection to Processing
The right to object to having personal information processed is a little more cut and dry compared to some of the other rights we have covered. When a legitimate objection request is received, an organization has very little leeway under which they can refuse the request.
There are several cases in which an individual can object outright to having their personal data processed by an organization. These include:
- If the processing is based on legitimate interests, performed in the public interest, or exercised by an official authority. This includes using personal data for profiling purposes.
- If the processing is used for direct marketing purposes.
- If the processing is done for the purposes of scientific, historical, or statistical research.
An organization is compelled to comply with an objection request made on any of these grounds except in the following circumstances:
- In regard to the processing of data based on legitimate interests, if you can prove there are convincing grounds for processing the data that override the interests, rights, and freedoms of the individual or if the processing is necessary for the defense or establishment of legal claims then you do not have to comply with the objection request.
- For the processing of personal data for research purposes, if you can demonstrate that the processing being done is necessary for the performance of a task in the public interest, you can deny the objection request.
- In the case of an objection to processing personal data for direct marketing purposes, there are no grounds on which this request can be denied. Processing must be stopped as soon as an objection is received.
GDPR grants individuals a lot more power to determine how and if their personal data is used by an organization who collects it. As has been mentioned previously during this series, this ensures organizations are held accountable for the ways they collect, process, and store this data so as to greater protect the privacy of individuals' data and prevent it from being mishandled and misused.
Next week in the GDPR Overview series…
That's it for this week's edition of the GDPR Overview blog series. Next week, we will take a look at the last two rights that have been granted to individuals under GDPR: the right to data portability and rights related to automated decision-making.