Right to Erasure (‘Right to Be Forgotten’) : iCompaas Support

Overview

This article grants data subjects the right to request the deletion of their personal data when it is no longer necessary for the purposes it was collected, consent is withdrawn, or the data has been unlawfully processed. Organizations must act without undue delay, taking into account applicable exemptions such as legal obligations or public interest purposes. Publicly disclosed data must also be erased from other controllers where feasible.

Key Principles

Data Minimization and Purpose Limitation: Personal data should only be retained as long as necessary.
Lawfulness: Erasure requests must be honored unless processing is legally required or justified by public interest.
Timely Action: Controllers must respond to erasure requests without undue delay.
Scope: Includes data shared with third parties or other controllers, where applicable.

Organizational Applicability

This article applies to all organizations processing personal data within the EU:

Controllers managing personal data of EU/EEA data subjects.
Public and private sector entities processing data for services, marketing, or operational purposes.
Teams responsible for records management, IT systems, marketing, and compliance.

Implementation Requirements

Implement procedures to receive, validate, and process erasure requests.
Ensure deletion of data from all systems, including backups and third-party processors where feasible.
Document decisions, actions taken, and any applicable exemptions.
Establish mechanisms to handle publicly disclosed data erasure.

Implementation Guidance

Use automated or manual tools to locate and delete personal data across systems.
Train staff to evaluate requests and determine exemptions accurately.
Coordinate with third-party processors to ensure erasure obligations are fulfilled.
Regularly review erasure policies and workflows for compliance and effectiveness.

Periodic Review

Frequency: Annually or when new data types or processing activities are introduced.
Responsible Role: Data Protection Officer (DPO) or Compliance Team.
Outcome: Confirm that data erasure processes are effective, timely, and compliant with GDPR.

Non-Compliance Risks

Fines: Up to €20 million or 4% of global annual turnover.
Legal Exposure: Enforcement actions or complaints for failure to erase data.
Reputational Damage: Loss of trust from data subjects, regulators, and stakeholders.
Operational Risk: Continued retention of unnecessary or unlawful data can affect compliance and decision-making.

GDPR Article 17: Right to Erasure (‘Right to Be Forgotten’) Print