Deletion requests - Companies must comply
Deletion requests cannot be denied on the basis of 'technical feasibility'. | Dealing with Erasure Requests - even when they are costly, or require system changes.
Despite being brought into force in May 2018, there continues to be a considerable degree of confusion regarding its requirements.
One of the most frequently asked questions concerns 'deletion requests'. More commonly these are referred to as 'Erasure Requests' based on 'the right to be forgotten.'
The question is: Can a company refuse a right to be forgotten (Erasure Request) based upon technical feasibility?
Under Article 17 of the GDPR individuals have the right to have personal data erased. But this right is not absolute and it only applies in certain circumstances.
Under the GDPR organisations cannot refuse a data subject's request for data deletion based on 'Technical feasibility'. Technical feasibility does not provide grounds for refusing a deletion request.
Companies might use 'technical feasibility' to argue that implementing or modifying systems to enable data deletion is cost prohibitive. However, the GDPR does not provide exception from compliance with a deletion request based on technical feasibility.
The GDPR acknowledges exemptions of disproportionate effort or impossibility within the context of other data subject rights. However, such exemptions are not included in data subjects' right to erasure. Therefore, the absence of exceptions or exemptions in the right to erasure could imply that organisations cannot lawfully refuse erasure requests.
What is the Right to Erasure and when does it apply?
In basic terms, if you hold someone's Personal Data they can request that you delete it. This is known as an 'Erasure Request'.
Erasure Request based on the Right of Erasure
People have a legal Right to Erasure. However, as previously mentioned, this right is not absolute and only applies in certain circumstances. According to the GDPR, the right to have Personal Data deleted, or erased, applies when one or more of the following conditions applies:
the personal data is no longer necessary for the purpose which you originally collected or processed it for;
if you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
when you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
you are processing the personal data for direct marketing purposes and the individual objects to that processing;
you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
when you have to do it to comply with a legal obligation; or
you have processed the personal data to offer information society services to a child.