It may happen that a person no longer wishes to share his or her personal data with an institution, company, etc. By relying on the right to be forgotten, she can then request their deletion. But beware, this provision, despite being provided for in Article 17 of the General Data Protection Regulation (GDPR), cannot always be evoked. In what circumstances is the ” Right to erasure ” really applicable ? As a legal tool, what do you need to understand to take advantage of ?
What does Article 17 of the GDPR say about the right to be forgotten ?
Article 17 of this European regulatory text is known as the “right to erasure” (” droit à l’oubli “). It provides that under certain specific conditions “the data subject shall have the right to obtain from the controller the erasure, as soon as possible, of personal data relating to him or her, and the controller shall have the obligation to erase such personal data as soon as possible […]”.
What is the right to be forgotten under the RGPD ?
More clearly, in the age of Big Data, i.e. the mass harvesting of data for later use (analytics, marketing and so on), we are all, and usually voluntarily, revealing private information on the web. We can do this by registering, for example, on the website of a company selling goods or services, or an official organization, etc.
In some cases, an Internet user may no longer wish his or her personal data to appear among those collected by a website. As this is a right, including if there is consent in the first place, it may evoke Article 17 of the GDPR, which has become the popular expression ” right to be forgotten “.
However, this right to be forgotten is much more subtle than you might think, making it applicable only in certain specific situations.
When can the right to erasure be invoked ?
Article 17 of the RGPD for the erasure of personal data is applicable in the following cases :
- The applicant’s personal information no longer corresponds to the purposes stated in the consent signed by the Internet user at the outset;
- When withdrawing consent ;
- When he objects to the use of his private data ;
- If the data is processed for purposes that are unlawful and contrary to the purposes stated in the consent ;
- When the data processing deadline is exceeded ;
- When your data has been made public without your consent.
Did you know ?
The right to be forgotten is not an absolute right !
When can the right to erasure be refused ?
The right to erasure lapses once the applicant’s reasons do not correspond to those set out in Article 17 of the RGPD. This can also be the case if his personal information :
- Health information, for example, is used in the public interest ;
- If scientific, historical, etc. ;
- If they are part of a legal obligation (payment of an invoice, etc.).
How do you evoke your right to be forgotten?
It’s easy to invoke your right to erasure. Simply send a letter to the organization’s data controller. The subject line must, of course, clearly explain that it is a request for the deletion of private information.
For better processing of the request, the contact person can come back to the applicant to ask for supporting documents (identity document, customer number, etc.).
How long does it take to delete personal data ?
On receipt of a data deletion request, the recipient has one month in which to proceed. This period can be extended to two months if the data deletion requires a complex intervention.
Request for the right to be forgotten : what to do if there is no response ?
It may happen that a request to delete private data goes unanswered. In such a case, the Commission Nationale de l’Informatique et des Libertés (CNIL) is responsible for intervening.
Simply send a letter to the organization, accompanied by proof that the initial request has not been processed. It can be :
- Notice of receipt of the original letter
Or
- A screenshot, if the request was made by e-mail.
