Right to erasure policy and procedure
Do we have to tell other organisations about the erasure of personal data?
The UK-general data protection regulation (UK-GDPR) specifies two circumstances where we should tell other organisations about the erasure of personal data:
- the personal data has been disclosed to others, or
- the personal data has been made public in an online environment (for example on social networks, forums or websites).
If we have disclosed the personal data to others
We must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort.
If asked to, we must inform the individuals about these recipients.
Recipients
The UK-GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed.
The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process person data.
Online personal data
Where the personal data has been made public in an online environment, reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data.
When deciding what steps are reasonable we should take into account available technology and the cost of implementation.