Right to erasure policy and procedure
Do we have to tell other organisations about the erasure of personal data?
The UK-GDPR specifies two circumstances where we should tell other organisations about the erasure of personal data:
- the personal data has been disclosed to others, or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
If we have disclosed the personal data to others, we must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, we must inform the individuals about these recipients.
The UK-GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process person data.
Where the personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable we should take into account available technology and the cost of implementation.