The “right to be forgotten” is a central part of the European General Data Pro­tec­tion Reg­u­la­tion (GDPR). The main idea behind it is to protect people whose data is processed online or offline. The right to be forgotten calls for some digital personal data to be deleted under certain con­di­tions.

What does the “right to be forgotten” mean?

The right to be forgotten under the GDPR is one of the most important resources for consumers to protect their privacy and personal data. It enables people to have digital personal data per­ma­nent­ly deleted by companies or those re­spon­si­ble for a website (known as “data con­trollers”), re­gard­less of whether the company collects and stores the data or just makes it publicly available.

How does the right to be forgotten apply in the US?

The GDPR is a European Union reg­u­la­tion, but it can affect US companies. US busi­ness­es with a branch or even just an employee in the EEA are subject to the GDPR just like European companies. In addition, any company that targets people in the EU with its goods or services is required to comply with the GDPR. So if you’re selling your products to in­di­vid­u­als in Europe, you’ll need to make sure your website is compliant. This also means that in­di­vid­u­als in the EU can submit claims to you under the right to be forgotten.

The Cal­i­for­nia Consumer Privacy Act (CCPA) also contains a right to be forgotten and applies to any data per­tain­ing to Cal­i­for­nia residents. At this time, there is no right equiv­a­lent to the European right to be forgotten under US federal law.

How did the GDPR right to be forgotten come about?

The GDPR has its origins in the Google ruling that the European Court of Justice (ECJ) handed down on May 13, 2014. The court held that data subjects can under certain con­di­tions request the deletion of links that contain outdated or ir­rel­e­vant in­for­ma­tion about them. In the ECJ ruling, the oblig­a­tion to delete upon request pertains to search engines that make personal data publicly ac­ces­si­ble. The ruling primarily pertains to private in­di­vid­u­als and notes that, in the case of public figures or press archives, the right to be forgotten needs to be weighed against the right to in­for­ma­tion.

Where is the right to be forgotten legally defined?

In the Google ruling, the ECJ applied existing EU data privacy guide­lines, which took concrete shape in 2016 as the European General Data Pro­tec­tion Reg­u­la­tion (GDPR). The right to be forgotten can be found in article 17 of the GDPR under the heading “right to erasure”. The term “right to be forgotten” appears in the heading in paren­the­ses.

Right to be forgotten vs. right to erasure

The right to be forgotten can be un­der­stood as an extension of the right to erasure in the GDPR. Article 17 of the GDPR primarily serves to regulate the oblig­a­tion to delete for data con­trollers who directly process personal data or make it publicly ac­ces­si­ble. This includes media outlets and companies that directly process and store people’s data. If the re­quire­ments for deletion are fulfilled, the data con­troller must im­me­di­ate­ly and demon­stra­bly delete the relevant links or data.

The right to be forgotten appears in article 17(2) of the GDPR and pertains to third parties that don’t collect personal data them­selves but do make it publicly available (as search engines such as Google do, for example).

What are the con­di­tions of the right to be forgotten?

There are some specific re­quire­ments for data to be deleted by data con­trollers and relevant third parties, including that:

  • There is no longer a need for the storage and ac­ces­si­bil­i­ty of the data in terms of the original purpose of col­lect­ing and pro­cess­ing the data
  • Data subjects have withdrawn their consent for the pro­cess­ing and storage of the data
  • There is no over­rid­ing legal reason for the storage of the data
  • The col­lec­tion and pro­cess­ing of the data happened un­law­ful­ly and/or without consent
  • Data con­trollers are legally required by the GDPR to respect the right to erasure and the right to be forgotten
  • The personal data pertain to minors and were collected for online services

If data subjects can prove their claim, the company in question is required to delete the data “without undue delay”. Usually this means that the con­troller needs to inform the data subject within a month of their request about actions taken or reasons why the request has been rejected.

Examples of the right to be forgotten

The right to be forgotten is an important in­stru­ment for pro­tect­ing an in­di­vid­ual or company’s rep­u­ta­tion, ap­pear­ance and privacy. In practice it would apply if, for example, a search engine still showed results relating to a person’s bank­rupt­cy, court case, or “em­bar­rass­ing” behavior 10 or 20 years after the fact. It’s also important for the re­so­cial­iza­tion of people formerly convicted of crimes, es­pe­cial­ly when it comes to minor mis­de­meanors. The right to data erasure enables in­di­vid­u­als and companies to protect their rights and safeguard their career op­por­tu­ni­ties and pro­fes­sion­al image.

How does deleting personal data work?

The GDPR doesn’t clearly define a method for carrying out required erasures. However, they do specify that it’s mandatory that the erasure happen demon­stra­bly and im­me­di­ate­ly. Here are some potential methods:

  • De­struc­tion and disposal of physical media by experts
  • Pro­fes­sion­al over­writ­ing of the relevant storage locations, provided it can be proven that that resulted in the removal or un­us­abil­i­ty of data
  • Deleting as­so­ci­at­ed links, shortcuts, search entries, search terms and coding
  • Listing and deleting search engine al­go­rithms

What are the ex­cep­tions to the right to be forgotten?

In some cases, the deletion of personal data upon request can conflict with freedom of in­for­ma­tion and the oblig­a­tion to retain data. Although the GDPR gives private in­di­vid­u­als the right to more privacy, certain con­di­tions and ex­cep­tions ensure that critical data cannot be deleted if it is subject to a storage oblig­a­tion or is of public, medical, tax or security interest. However, es­pe­cial­ly when it comes to longer storage periods, it’s important to note that personal data that is no longer being processed but is still required to be retained is subject to stronger access pro­tec­tion.

Overview of ex­cep­tions to the EU right to be forgotten

Below are some cases in which an exception to the right to be forgotten might apply:

  • The data are still needed for pro­cess­ing.
  • The people in question have consented to the data pro­cess­ing that is still needed.
  • The data are still needed to fulfill a person or company’s public or legal oblig­a­tions.
  • The pro­cess­ing of the data is a matter of public interest.
  • The data is being processed in the context of archiving, research or col­lec­tion of data for sta­tis­tics that are in the public interest
  • The data plays a demon­stra­ble role in legal pro­ceed­ings.

Note that freedom of speech and freedom of in­for­ma­tion take prece­dence over the right to erasure and the right to be forgotten.

Note

Depending on the case, ex­cep­tions to the right to be forgotten may expire if a claim for deletion can be enforced after the relevant statute of lim­i­ta­tions. In a court case that took place in Germany, the OLG Dresden ruled that, in the case of data that is required to be stored, ir­rel­e­vant parts of that data are not subject to the storage oblig­a­tion. In the interest of min­i­miz­ing data, in­di­vid­ual data such as personal in­for­ma­tion about names, business partners and addresses can be deleted if there aren’t any specific reasons for storing them.

How can you assert your right to be forgotten?

In order to request that your data be deleted and removed, you first need to know that the data exist. That’s where the right of access in article 15 of the GDPR comes in. This allows you to get in­for­ma­tion about data per­tain­ing to you that is being stored or processed by a company. Based on the right to access, you can then apply your right to erasure and being forgotten via an email or letter to the data con­troller.

There is not any pre­de­ter­mined form that your request needs to take. However, in order to be able to prove that you made the request, you should always make it in writing. You can find free templates on the EU’s GDPR website. To avoid a drawn-out request or a rejection, you should be sure to include proof of identity for the person making the request and/or the person who the data in question pertain to.

Tip

In the market for a high-quality, pro­fes­sion­al website that’s GDPR compliant? IONOS’s website builder provides a secure domain, SSL and GDPR-compliant data pro­tec­tion.

How can you apply your right to be forgotten with Google?

Companies like Google and Facebook provide free online forms that you can use to make a request. The Google support page has in­for­ma­tion about the process of making a request and what the form will ask for. To have a Google entry deleted, you’ll need to provide the following in­for­ma­tion:

  • URLs in question with the search results you want deleted
  • Proof that the data are relevant to you and reasons for deleting them
  • The search query that leads to the results (e.g. your own name)
  • Email addresses that lead to the search results in question
  • Back­ground in­for­ma­tion and proof that show that the deletion and removal is warranted

Is there a general right to privacy and data removal?

At first glance, it might seem that the right to be forgotten means that your personal data can’t be made publicly ac­ces­si­ble without your per­mis­sion. But when you give your consent for your data to be processed in the course of your everyday online ac­tiv­i­ties, you don’t nec­es­sar­i­ly have a general right to deletion. And indeed, the un­jus­ti­fied deletion of data can even be con­sid­ered a data breech. That’s es­pe­cial­ly the case if there are oblig­a­tions for data storage or if critical data are involved. Think about, for example, illicitly deleting data to cover up criminal activity.

Is it enough to anonymize data?

One al­ter­na­tive to deletion is thor­ough­ly anonymiz­ing data. Processed and stored data can be so deeply anonymized that it can no longer be un­der­stood as personal data. The GDPR is not directly ap­plic­a­ble if, for example, data that’s used for sta­tis­ti­cal analysis or research is suf­fi­cient­ly anonymized.

That’s the case if, for example, no party would be capable of making a con­nec­tion between people and relevant or ir­rel­e­vant data sets. Methods for anonymiza­tion include ran­dom­iz­ing, gen­er­al­iz­ing or pre­vent­ing con­nec­tions. Anonymiza­tion as an al­ter­na­tive to deletion is addressed in article 4 of the GDPR.

Tip

Design your in­di­vid­u­al­ized online store with IONOS and benefit from a GDPR-compliant, cus­tomized ecommerce solution.

How does the right of erasure apply to companies?

European data pro­tec­tion reg­u­la­tions like the GDPR and the ePrivacy Reg­u­la­tion have a big impact on companies when it comes to data pro­tec­tion and the right to be forgotten. The GDPR, for example, stip­u­lates that companies cannot ar­bi­trar­i­ly collect data and that they can only process data with a user’s written consent. And the ePrivacy Reg­u­la­tion requires that people ex­plic­it­ly allow the use of cookies and trackers on websites.

Since pro­cess­ing data is essential in online marketing and ecommerce, you should make arrange­ments for data pro­tec­tion and data sov­er­eign­ty from the outset of your venture. Arrange­ments include:

  • An ac­ces­si­ble and visible privacy policy compliant with GDPR on your website
  • Tools and strate­gies for eval­u­at­ing and im­ple­ment­ing requests for deletion
  • Legally compliant notices about cookies and tracking
  • Legal safe­guards with respect to the pro­cess­ing and transfer of data, e.g. data pro­tec­tion officers and IT legal de­part­ments (es­pe­cial­ly after the ex­pi­ra­tion of the EU-US privacy shield).

Click here for important legal dis­claimers.

Go to Main Menu