The GDPR incorporates the right to be forgotten as a right linked to the right to erasure, to restriction of processing and to data portability:
Data subjects have the right to obtain the erasure of personal data (right to be forgotten), when:
- the personal data are no longer necessary in relation to the purposes for which they were collected;
- the data subject withdraws the consent on which the processing was based;
- the data subject objects to the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation;
- the personal data have been collected in relation to the offer of information society services addressed to children.
Where the controller has made the personal data public and is obliged to erase them, that controller must take reasonable steps to inform those processing the personal data that the data subject has requested the erasure.
Exceptions to the exercise of this right are provided to the extent that processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
- for the establishment, exercise or defence of legal claims;
- for exercising the right to restriction of processing.
Restriction of processing is present in the GDPR as a right of data subjects. It should not be confused with the blocking of data that currently exists in Spanish legislation, and its inclusion as a new right does not in itself mean that the concept of data blocking disappears.
Restriction of processing means that, at the request of the data subject, the processing operations that would in each case correspond will not be applied. Restriction may be requested when:
- The data subject has exercised the rights of rectification or objection and while the controller determines whether the request should be granted.
- The processing is unlawful, which would mean the personal data would be erased, but the data subject opposes such erasure.
- The personal data are no longer necessary for the purposes of the processing, which would result in their erasure, but restriction is requested by the data subject because they are required for the establishment, exercise or defence of legal claims.
The same terms and procedures are applied to this right as are applied to all other rights provided in the GDPR.
Where the processing has been restricted, the controller may only process the affected data, with the exception of storage, in the following cases:
- with the data subject's consent;
- for the establishment, exercise or defence of legal claims;
- for the protection of the rights of another natural or legal person;
- or for reasons of important public interest of the Union or of the corresponding Member State.
One consequence of this regulation is that it prevents a practice which is occasionally followed and which consists in erasing the personal data when other rights are exercised, such as that of access, since such erasure would impede exercise of the right to restriction of processing.
- Right to data portability:
The right to data portability is an advanced form of the right of access, by which the data subject has the right to receive the personal data he or she has provided to a controller concerning him or her in a structured, commonly used and machine-readable format and has the right to transmit those data to another controller, if the following requirements are met:
- the processing is based on consent or on a contract;
- the processing is carried out by automated means;
- the data subject makes the request with respect to data he or she has provided to the controller, including data deriving from the data subject’s own activity. It is thus not applicable to the data of third parties that a data subject has provided to a controller. Nor will it apply if the data subject requests the portability of data that concern him or her, but have been provided to the controller by third parties.
Where technically feasible, the data subject should have the right to have the personal data transmitted directly from one controller to another.
The European Group of Data Protection Authorities (Article 29 Data Protection Working Party) has adopted an Opinion in which this right is analysed in detail, and which may be consulted here.
What is the procedure for exercising the rights contained in the new Regulation?
In general, the GDPR requires controllers to facilitate data subjects’ exercise of their rights. This mandate means that the procedures and mechanisms of such exercise must be visible, accessible and easy to understand. The GDPR does not establish a specific way of exercising rights, but requires controllers to enable requests to be presented by electronic means, especially when the processing is being carried out by these means.
This obligation requires procedures to be put in place that easily allow data subjects to demonstrate that they have exercised their rights by electronic means, something which on many occasions is currently unfeasible.
The GDPR also provides that the exercise of rights should be free of charge for the data subject. This criterion may not apply in cases in which requests are made that are manifestly unfounded or excessive, in particular because of their repetitive character; in these cases, the controller may charge a reasonable fee based on the administrative costs, or refuse to act on the request. It falls upon the controller to demonstrate the unfounded or excessive character of the request. In any case, the fee may not represent additional income for the controller, but should correspond to the true cost of processing the request.
The controller must provide the data subject with information on action taken on a request within one month of its receipt. That period may be extended by two further months where necessary, taking into account the complexity and number of requests. The controller should inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay. If the controller decides not to take action on the data subject’s request, that controller should inform the data subject of the reasons for not doing so within one month of receipt of the request.
The GDPR establishes that the controller should use all reasonable measures to verify the identity of a data subject who requests access and, in general, of all data subjects that exercise other ARCO rights.
Where a controller processes a large quantity of information concerning the data subject, that controller may request the data subject to specify the information or processing activities to which the request relates.
The controller may be able to count on cooperation from the processors to manage the exercise of data subjects’ rights. This cooperation may be included in the contract commissioning the data processing.