The fourth article in our series on GDPR rights is about the deletion right. Catch up on previous articles that cover your right to be informed, the access right, and the correction right.
Part 4: The right to request deletion
There has been a lot of hype and misleading information about this right and it is often called ‘the right to be forgotten’. The reality is that there is no such right, and it has always been the case that your right is to request deletion, not demand it. This is a complicated right in that it only applies in certain circumstances and, even where it applies, organisations won’t have to delete your information in some scenarios.
In current UK law, this right is part of the right to correct data, in that a court can also order an organisation to delete inaccurate personal data. In practice, organisations will usually consider any deletion request they receive without insisting you go to court. Most organisations in most circumstances will have legitimate reasons for having or using your information, so they will not be required to delete it. The most likely reason for needing to delete it is if they should have already done so, and are continuing to hold information they no longer need.
What’s new?
GDPR provides a direct right to have an organisation delete your personal information in certain circumstances.
- The information is no longer necessary for the purposes for which the organisation collected/used it.
- The organisation collected/used the information based on your consent, and you withdraw that consent, and there is no other lawful grounds to keep it.
- You have objected to the organisation collecting/using your information and there are no overriding legitimate grounds for them to keep it.
- You object to your information being used for direct marketing purposes.
- The organisation has collected/used the information unlawfully.
- The organisation has a legal obligation to delete the information.
- The organisation has collected the information to offer an online service to a child.
What does this mean?
The reality is that if you ask an organisation to delete your information, they will only have to do so where they have not complied with other GDPR or legal obligations. Essentially this is a ‘safety net’ right making sure that if an organisation still has information it shouldn’t, it must delete it.
There are two exceptions in the list above, relating to marketing and children. The right to say ‘no thanks’ to marketing and have that respected has not changed under GDPR, so organisations will have to stop using your information for marketing if you ask them to. It is important to know that in practice the organisation will not actually delete the information, they will add your details to a suppression list. This is a list of contact details for everyone who has objected, and organisations check against this list when doing marketing, to make sure they don’t contact anyone who has said ‘no thanks’. If they deleted your data completely, they might collect it again somewhere else and not know that you have said you don’t want marketing.
With regard to children, there is still uncertainty as to what the right to deletion means. The section in GDPR on offering online services to children (that this right refers to) is quite narrow, and is essentially a requirement to get parental consent, instead of the child’s consent, if the lawful grounds you are using is consent. (There are multiple lawful grounds an organisation can use, and consent isn’t always the most appropriate.) It’s not clear if the right to deletion applies only to the consent-based information collected to offer a child online services, or whether it applies to any information collected from or about a child when offering online services. In the UK the regulator (ICO) is drafting guidance on the children’s aspects of GDPR, so we hope to get clarity on this point soon.
Automatically deleting your data
For the above scenarios, GDPR describes this right as both the right for you to get your data deleted, and the obligation for an organisation to delete the data without undue delay.
However, automatically deleting data might not actually be the best outcome or be in individuals’ interests. As mentioned above for marketing, deleting your data rather than adding you to a suppression list might mean you get more unwanted marketing! Also, if an organisation has been doing something it shouldn’t have with personal data, deleting the data may delete the evidence and prevent a regulator investigation or the ability for individuals to take legal action.
What other obligations do organisations have?
If the organisation has to delete your information, but has already made it public, they are obliged to inform other organisations who have it that you have requested its deletion. These other organisations should then delete their copy of your information or any links to it.
What does that really mean though? This aspect of the right has come from court cases against Google relating to whether information they link to in search results should still be available. (See below for more information.)
When does this right not apply?
As mentioned in the first paragraph, even if your request for deletion matches one of the above list of circumstances, the organisation might still not have to delete your information, if one of the following applies.
- The organisation needs the information to exercise their right to freedom of expression and information. (This is likely to be more relevant to news organisations and publishers.)
- The information is necessary to comply with a legal obligation. (This could be where organisations are required by law to keep certain data for a certain amount of time for audit, tax or other purposes.)
- The information is necessary for an activity the organisation is carrying out that is in the public interest or as part of their official duties. (This is likely to be relevant to public sector bodies.)
- The information is necessary for reasons of public interest in the area of public health.
- The organisation needs the information for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if deleting the data would make those purposes impossible or seriously impair the organisation from achieving its aims. (This is most likely to be used by official archiving or research bodies.)
- The organisation needs the information to establish, exercise or defend legal claims.
The UK’s draft Data Protection Bill to implement GDPR is currently being finalised but the current version maintains exemptions in current law that mean that an organisation may not have to comply with your request in certain circumstances.
The organisation also has to be able to verify your identity before taking action as a result of your request.
The right to be forgotten by search engines
As already mentioned, some aspects of this right come from court cases against Google, where individuals requested that certain information no longer appear in searches on their name. This is really about being delisted from search results, as the original publication of the information may have to remain. The court cases have looked at the balance between privacy and freedom of expression to set the lines on when each prevails. The decision in each of the cases depends on the facts of the case, and sometimes the court has decided the information is no longer relevant and so must not be linked to, whereas in other cases they found in favour of Google.
Fees and timescales
Under current UK law there are no set timescales for dealing with a deletion request, but organisations usually respond without delay. There is no charge for this kind of request.
Under GDPR the organisation has 30 days to respond and cannot charge a fee. However, organisations can charge for ‘manifestly unfounded or excessive’ requests. They must base the fee on the administrative cost of providing the information. The current version of the UK’s draft Data Protection Bill provides for the Government to set limits on the fees. Organisations can also extend the response time to two months depending on the complexity and number of the requests. If they need to extend the response time, they should tell you within the first month.
If an organisation decides it can’t comply with your request, they should explain why, without undue delay and at the latest within one month. They should also tell you about your right to complain to the regulator (ICO).
What is Yoti doing?
You are able to delete your account at any time from within the app settings. If you delete the app before deleting your account you just lose the connection to your data, and it remains ‘orphaned’ in our system. We delete orphaned data after three years.
If you use our Dashboard to create pages and applications as a way to collect personal information from others, you can also delete your account. Yoti will need to keep certain information for billing records and auditing purposes.
You can make a deletion request to privacy@yoti.com