Right to erasure
Data subjects have the right to request the deletion of their data. This can be done, for example, by sending a written message to a data controller. In many cases, controllers are then obliged to delete the personal data.
If one of the following circumstances exists, data must be deleted upon request:
- The data are no longer necessary for the purposes for which they were collected.
- The data have been processed unlawfully.
- The data must be deleted in order to comply with a legal obligation of the data controller.
- Data subjects withdraw their consent and there is no other legal basis for the data processing, such as an existing contract or a legitimate interest of a data controller.
- Data subjects object to data processing and data processors have no other overriding reasons to process the personal data. If data subjects object to the use of data for direct marketing purposes and request that their data be deleted, no consideration must be given to possible overriding reasons on the part of data controllers.
The right to erasure does not mean that any personal data can always and unconditionally be deleted. Erasure is not possible if data processing is required for specific purposes:
- To exercise the right of freedom of expression and information
- For the exercise of legal claims
- For the exercise of official authority
- For reasons of public interest
- For scientific research
- For archiving purposes in the public interest
- For the fulfilment of legal obligations of data controllers
In Germany, according to the Federal Data Protection Act, there is no right to erasure if data were processed lawfully and the deletion would entail a disproportionate effort. In this case, data processing should instead be restricted.
Closely related to the right of erasure is the right to be forgotten. The term “right to be forgotten” was originally coined in a judgment of the European Court of Justice (the full text of judgment C-131/12 can be found here, the related press release can be downloaded here). The court ruled in 2014 that consumers can have links to their personal data deleted even from a search engine.
In the General Data Protection Regulation, the right to be forgotten is somewhat broader: If data subjects request the erasure of their personal data, which a controller has made public, the controller must tell other controllers that an erasure of the data and, if applicable, of any links to it or copies of it, has been requested. However, there is no technical guarantee that controllers can implement this obligation. Especially with data published on the internet, it cannot be assumed that these data and all related links can ever be deleted without a trace.
Article 17 GDPR (Right to erasure (“right to be forgotten”))
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
Source: Regulation (EU) 2016/679 (see also recitals 65 and 66)
Section 35 BDSG (Right to erasure)
(1) If in the case of non-automated data processing erasure would be impossible or would involve a disproportionate effort due to the specific mode of storage and if the data subject’s interest in erasure can be regarded as minimal, the data subject shall not have the right to erasure and the controller shall not be obligated to erase personal data in accordance with Article 17 (1) of Regulation (EU) 2016/679 in addition to the exceptions given in Article 17 (3) of Regulation (EU) 2016/679. In this case, restriction of processing in accordance with Article 18 of Regulation (EU) 2016/679 shall apply in place of erasure. The first and second sentences shall not apply if the personal data were processed unlawfully.
(2) In addition to Article 18 (1) (b) and (c) of Regulation (EU) 2016/679, subsection 1, first and second sentences shall apply accordingly in the case of Article 17 (1) (a) and (d) of Regulation (EU) 2016/679 as long and as far as the controller has reason to believe that erasure would adversely affect legitimate interests of the data subject. The controller shall inform the data subject of the restriction of processing if doing so is not impossible or would not involve a disproportionate effort.
(3) In addition to Article 17 (3) (b) of Regulation (EU) 2016/679, subsection 1 shall apply accordingly in the case of Article 17 (1) (a) of Regulation (EU) 2016/679 if erasure would conflict with retention periods set by statute or contract.