It is a common misconception that data subjects have an absolute right to demand erasure of their personal data at request, according to article 17 GDPR. However, this is not the case in practice because there are many exceptions that apply to this right. These are important to be aware of, so you do not delete personal data incorrectly.
Published 20th of July 2023
In which cases do personal data have to be erased?
Article 17 of the GDPR stipulates the right to erasure (also called ’the right to be forgotten’). All natural persons have the right to contact any controller who is processing his or her personal data and request deletion of the data. There are several situations when the controller is obligated to erase personal data upon request, namely if one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- For example: If a customer terminates their membership at the gym, it is no longer necessary for the gym to retain their contact details for the purpose of communication, as they are no longer a customer.
- The data subject withdraws consent on which the processing is based;
- For example: A person, who previously consented to participating in a competition, changes their mind and withdraws their consent.
- The data subject objects to their personal data being processed for direct marketing purposes;
- For example: An individual does not wish to receive advertisements from a particular company.
- The data subject objects to a processing that is based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or based on a legitimate interest pursued by the controller, provided that there are no compelling legitimate grounds for the processing;
- For example: A person no longer wishes to be part of a company’s address list, and the company has based the data processing on their legitimate interest.
- The personal data have to be erased to comply with a legal obligation;
- For example: According to the Swedish law on credit information, records of payment remarks that relate to a natural person must be removed no later than three years after the entry was registered,
- The personal data have been unlawfully processed;
- For example: When personal data have been processed without lawful basis, meaning that the processing does not comply with article 6 of the GDPR.
- The data subject is a child, and the personal data have been collected when the child created an account on a social media platform.1
- For example: A child has provided Facebook with their personal data when creating an user account.
Do we always need to erase personal data upon request?
No. A common misconception is that a data subject can always request to have their personal data deleted. However, this is not the case. Deletion must only take place if one of the above-mentioned criteria is in question. However, there are exceptions to these criteria as well. Article 17.3 GDPR states that a request for erasure shall not be granted to the extent that the processing is necessary for the following reasons:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for the establishment, exercise or defense of legal claims;
- for archiving purposes in the public interest or in scientific or historical research processes; or
- for reasons of public interest in the area of public health.
Controllers can thus deny a request for deletion, partially or in full, in case that the request does not cover any or the situations pointed out in the first bullet list above or if such event is at hand but the processing is necessary according to one of the exceptions presented right here above.
Therefore, a data subject does not always have the right to be forgotten in the sense that all his personal data must be deleted.
An example of a situation where this is the case is when a customer has purchased clothes online in a web shop and in connection to the purchase gave his consent to receive newsletter from the company. If the customer requests deletion after the purchase, the company must assess which personal data can possibly be deleted. A request for deletion includes a withdrawal of consent, which means that the company must delete the personal data used for sending newsletters to the customer. However, the company need to continue to process some personal data about the customer. The customer’s address information is processed in order to deliver the clothes and the company also needs to store invoicing/payments details in order to comply with the rules of the Book-keeping Act.
Another example when the right to erasure normally does not apply is when someone wants to switch banking services. The customer’s previous bank normally has an obligation to retain customer information during a certain time period, and therefore is not allowed to immediately erase a previous customer’s personal data.
What rules apply to official authorities?
If the controller is an official authority an exception to the right to erasure often applies. This is also the case when the controller, without being an authority, nonetheless performs a task in the public interest. For example, healthcare providers must collect and retain personal data, as they have a legal obligation to keep medical records of patients. Similarly, the Swedish government agency for employment (Arbetsförmedlingen) needs to retain personal data to be able to correctly distribute compensation for unemployment. The retention periods for their decisions and other documents are generally based on provisions in laws or regulations.
Summary and further reading
In conclusion, the right to erasure is far from absolute. Therefore, it’s essential that data controllers have well-established and clear routines when handling requests for erasure. You are more than welcome to contact us if you have further questions or are interested in improving your own work with the GDPR!