Iubenda logo
Start generating

Documentation

Table of Contents

The Right to be Forgotten and iubenda’s Consent Solution

Article 17 of the GDPR, “the right to erasure,” also known as the “right to be forgotten,” allows individuals to request that data controllers remove their personal data.

But the right to be forgotten involves much more than an individual simply asking a company to delete their personal data.

Short on time? Jump to: 

What is the right to be forgotten? 

The right to be forgotten appears in Article 17 of the GDPR, stating that if one of a number of conditions applies,

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data *without undue delay.” 

*“Without undue delay” is considered to be within one month after receiving the request. 

Additionally, the data controller must take appropriate measures to confirm the identity of the data subject behind the request.

When does the right to be forgotten apply?

The specific conditions under which the right to be forgotten is applicable are outlined in Article 17. An individual has the right to have their personal data deleted if:

  1. Personal data is no longer required for the purposes for which they were collected or processed.
  2. The data subject withdraws the consent, and there are no other legal grounds for the processing.
  3. The data subject objects to the processing (which relied on the ground of legitimate interest), and there are no overriding legitimate grounds for the processing. This applies even when using personal data for direct marketing.
  4. The processing of the personal data was done unlawfully.
  5. The personal data must be deleted for the controller to comply with a legal requirement under EU or Member State legislation.
  6. The collection of personal data is related to the provision of services for the information society.

Can the data controller override the user’s right to be forgotton?

Yes, in the following situations, the data controller can override the users’ right to be forgotten:

  • Processing is required in order to exercise the right of freedom of expression and information. 
  • Processing is required to carry out a task in the public interest, to comply with a legal requirement, or for the controller to exercise official responsibility.
  • Processing is required for reasons of public interest in the field of public health.
  • Processing is required for archiving in the public interest, historical or scientific research, or statistical purposes.
  • Processing is required to establish, exercise, or defend legal claims.

Additionally, if an organization can demonstrate that a request to delete personal data was unreasonable or incorrect, the company may demand a “reasonable fee” or reject the request.

When exercising the user’s right to be forgotten, many factors are at play, and each request needs to be evaluated individually.

For compliance reasons, the proof of users’ consent and any withdrawals must be stored in the Consent Solution dashboard. However, the data controller who receives a request to exercise the right to be forgotten must consider each request individually.

For all data processing operations to be carried out on the legal basis of consent, the data controller must maintain track of the proof of consent obtained.

On the other hand, users are entitled to revoke any prior consent they may have given for the processing of their personal data under. 

With the help of the Consent Solution, it is possible to manage user consent and keep the consent records needed by the GDPR.

First of all, it is up to the data controller to determine whether a request for the removal of personal data should be carried out. The data controller must reply to the request within one month and communicate the related decision:

  1. if the assessment carried out points to the fact that the request needs to be processed (one of the specified situations listed in Article 17 of the GDPR applies); or 
  2. if the conclusion is that the request cannot be carried out due to a certain reason. In this instance, the data controller also needs to communicate why the request could not be fulfilled.

Suppose the result of the data controller assessment indicates that it is necessary to remove the personal data kept in the Consent Solution. In that case, iubenda will be available to help with the technicalities.

However, the data controller will need to make an API call to log the deletion if they want to move forward with a request to exercise the right to be forgotten. Please keep in mind that the data controller will need to modify the API call to include the relevant personal data.

Please see this example below:

curl --location --request POST 'http://consent.iubenda.com/consent' --header 'Content-Type:application/json' --header 'ApiKey:YOUR_PRIVATE_API_KEY' --data-raw '{
  "subject":{
    "id":"subject_id"
  },
  "preferences":{
    "preferencel":"false",
    "preference2":"false",
    "rightToBeForgotten":"true"
  },
  "proofs":[
    {
      "content":"The user requested to be forgotten,and this is the proof of it"
    }
  ]
}
'

The data controller can use the same method of communication that the user used to express the request. For example, if the user communicated the request with an email address, the data controller can use that same email address to contact the user.

If you need further assistance exercising your user’s right to be forgotten, don’t hesitate to contact our support team. 

See also: