Article 17 of the GDPR, “the right to erasure,” also known as the “right to be forgotten,” allows individuals to request that data controllers remove their personal data.
But the right to be forgotten involves much more than an individual simply asking a company to delete their personal data.
The right to be forgotten appears in Article 17 of the GDPR, stating that if one of a number of conditions applies,
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data *without undue delay.”
*“Without undue delay” is considered to be within one month after receiving the request.
Additionally, the data controller must take appropriate measures to confirm the identity of the data subject behind the request.
The specific conditions under which the right to be forgotten is applicable are outlined in Article 17. An individual has the right to have their personal data deleted if:
Yes, in the following situations, the data controller can override the users’ right to be forgotten:
Additionally, if an organization can demonstrate that a request to delete personal data was unreasonable or incorrect, the company may demand a “reasonable fee” or reject the request.
When exercising the user’s right to be forgotten, many factors are at play, and each request needs to be evaluated individually.
First of all, it is up to the data controller to determine whether a request for the removal of personal data should be carried out. The data controller must reply to the request within one month and communicate the related decision:
Suppose the result of the data controller assessment indicates that it is necessary to remove the personal data kept in the Consent Database. In that case, iubenda will be available to help with the technicalities.
However, the data controller will need to make an API call to log the deletion if they want to move forward with a request to exercise the right to be forgotten. Please keep in mind that the data controller will need to modify the API call to include the relevant personal data.
Please see this example below:
curl --location --request POST 'http://consent.iubenda.com/consent' --header 'Content-Type:application/json' --header 'ApiKey:YOUR_PRIVATE_API_KEY' --data-raw '{
"subject":{
"id":"subject_id"
},
"preferences":{
"preferencel":"false",
"preference2":"false",
"rightToBeForgotten":"true"
},
"proofs":[
{
"content":"The user requested to be forgotten,and this is the proof of it"
}
]
}
'The data controller can use the same method of communication that the user used to express the request. For example, if the user communicated the request with an email address, the data controller can use that same email address to contact the user.
For compliance reasons, the proof of users’ consent and any withdrawals must be kept. However, the data controller who receives a request to exercise the right to be forgotten must consider each request individually.
For all data processing operations to be carried out on the legal basis of consent, the data controller must maintain track of the proof of consent obtained.
On the other hand, users are entitled to revoke any prior consent they may have given for the processing of their personal data under.
With the help of the Consent Database, it is possible to manage user consent and keep the consent records needed by the GDPR.
If you need further assistance exercising your user’s right to be forgotten, don’t hesitate to contact our support team.