GDPR introduces a right for individuals to have their personal data erased. This is referred to as the right to erasure. However, you may also see it as the right to be forgotten.
The broad principal of this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
When does the right to erasure apply?
It should be understood that the right to erasure does not provide an absolute right to be forgotten. Although individuals have the right to their personal data to be erased and the right to prevent processing under specific circumstances;
- when personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
- when the individual withdraws consent;
- when the individual rejects to the processing and there is no overriding legitimate interest for continued processing;
- the personal data was unlawfully processed initially
- personal data has to be erased to comply with a legal obligation
Additionally, if the processing of the information is likely to cause damage or distress, this is likely to make a case for erasure stronger.
When can I refuse to comply with a request for erasure?
If it is established that there is a justified reason for erasure, we will notify all third parties of the request. They will then be required to establish whether or not there is a justifiable reason to erase such data. For full details on where your right to erasure will/will not apply please see the ICO website here
Can we refuse to comply with a request for other reasons?
We can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Should we consider that a request is manifestly unfounded or excessive we can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
How is a request refused?
A request will be refused formally in writing stating the reason(s) for refusal.
How do we recognise a request?
It is preferable that all requests are made in writing to ensure that no communication is misunderstood and can be easily referenced by an audit trail. We understand however that from time to time individuals may wish to exercise their right to erasure verbally.
Please ensure that proof of ID is provided as part of your request.
Please submit all requests for the attention of the Data Protection Officer to:
- Gateway House, 8 Kings Parade, Kings Road, Fleet GU51 3AB
How do we inform you of what data was held and erased?
When complying with your wishes to erase your data, we will first conduct an audit to establish what data is held. We will subsequently delete this data and notify you in writing.
How long do we have to comply?
We will respond to you within one month of receiving your request. If your request is particularly complex, we may extend this timeframe by up to two months however you will be notified if this is the case.
What methods do we have to erase data?
Your information will be destroyed in line with ICO guidelines.