What is a Data Erasure Request Response Letter?

The General Data Protection Regulation (“GDPR”) is a new Privacy law in the European Union (“EU”), which came into force on 25 May 2018. The GDPR regulates the protection of personal data, which includes any information that can be used to identify a person, such as a name, identification number, location data, or online identifier, and a wide range of other types of information.

The GDPR applies to all business in the EU, including the UK. However, if you are a business outside the EU that collects personal data from individuals in the EU, and you make decisions about how and why the personal data is used, you will be considered a “controller” under the GDPR, and be subject to its rules regarding the data of those individuals. If you process personal data of individuals in the EU on behalf of a controller, you will be considered a “processor”, and will also need to comply with the GDPR.

Important Note: The GDPR is a complex principle-based law subject to further interpretation by the supervisory authorities of each EU country. If you are not sure whether your data handling practices are compliant with the GDPR, please seek professional legal advice.

When does the right to be forgotten apply?

The GDPR has set out a few specific circumstances under which the right to be forgotten applies.  One can request for their personal data to be erased under certain circumstances such as:

  • If the personal data is no longer useful for the purpose it was originally collected for.
  • If an organization is relying on consent as a basis for processing the data but the individual withdraws their consent.
  • If personal data is being been processing for direct marketing purposes and the individual objects to this.
  • If any personal data is being processed unlawfully.
  • If an organization is required to erase personal data.