What is the right to be forgotten under the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (2016/679 EU) (GDPR) provides individuals with the right to request the erasure of personal data concerning them, also known as "the right to be forgotten". Employers will be obliged to erase personal data relating to an individual if:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the individual withdraws his or her consent and there is no other legal ground for the processing;
- the individual objects to the processing of data where the processing is on the basis of the employer's legitimate interests and there are no overriding legitimate grounds for it to continue;
- the personal data has been unlawfully processed; or
- erasure is required for compliance with a law to which the employer is subject.
If one of the above grounds applies, the employer must erase the personal data without undue delay, on the request of the individual.
If the employer has made the personal data public, it also has a duty to take reasonable steps to inform other data controllers that are processing the data that the individual has requested the erasure of the data and any links to or copies of it.
The GDPR sets out certain circumstances in which data controllers do not have to comply with a request for erasure. In the employment context, the most relevant circumstances are likely to be where processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims. However, where these exemptions apply, the employer must stop processing the data for other purposes not covered by the particular justification. For example, it could retain the data for the purposes of responding to potential tribunal claims, until after the expiry of the relevant limitation period, but it must stop processing the data for other purposes.
The GDPR will come into effect on 25 May 2018.