Right to erasure policy and procedure
Processing a right to erasure request
Similar to the process of a subject access request, all of the information that is held on the individual needs to be identified and then established under what category it falls, whether there is any exemption as listed in the next section.
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for
- you are relying on consent as the lawful basis for holding the data, and the individual withdraws their consent
- you are relying on legitimate interests as your lawful basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing
- you are processing the personal data for direct marketing purposes and the individual objects to that processing
- you have processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle)
- you have to do it to comply with a legal obligation
- you have processed the personal data to offer information society services to a child (an ISS is any online service and includes online shops, live or on-demand streaming services and companies providing access to communication networks)
Where data is to be erased it must also be ensured that further backup copies, or other information from emails, documents, or communications are likewise deleted or no longer retained.
While the right to erasure will remove all of an individual’s data (so long as it is not exempt), we must retain a record of the request and our action, ordinarily this will be a schedule listing the data covered and the erasure, this will show that we have attempted to comply with Article 17. Until case law demands that we do not retain that information, good practice would deem that we do so.