cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
CMcBag62
Newcomer I

GDPR Right to be forgotten

Regarding the right to be forgotten - I am somewhat confused about consents and how that applies.  If I choose to visit a website and I get this message:

 

THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY XXXX. OUR PRIVACY POLICY IS LOCATED HERE

 

I use the website, but by consenting, have I given up my right to be forgotten?  Or does it mean I have to contact the company to have data removed?  Does the company now have my implicit consent to collect cookie data since I have used the site?  Are they no longer bound by GDPR rules?

 

I cannot find the layman's version of this requirement and not sure I understand it completely. 

 

Thanks

6 Replies
Early_Adopter
Community Champion

IANAL, but this position from the website operator looks untenable to me.

 

If you are a data subject residing in the EU, or within places where the jurisdiction of EU law applies then this website is not compliant with the GDPR.

 

Specifically, the personal data would be unlawfully processed as they did not get your explicit consent to process for a specified process. Consent must be explicit and can be wirdrawn at any time.

 

The right to erasure is not total, but here's a good write up courtesy of the UK's ICO:

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual...

 

At a glance

 

  • The right to erasure is also known as ‘the right to be forgotten’.
  • The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.

In brief When does the right to erasure apply?

The right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
  • When the individual withdraws consent.
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
  • The personal data has to be erased in order to comply with a legal obligation.
  • The personal data is processed in relation to the offer of information society services to a child.

Under the GDPR, this right is not limited to processing that causes unwarranted and substantial damage or distress. However, if the processing does cause damage or distress, this is likely to make the case for erasure stronger.

There are some specific circumstances where the right to erasure does not apply and you can refuse to deal with a request.

When can I refuse to comply with a request for erasure?

You can refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information;
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • for public health purposes in the public interest;
  • archiving purposes in the public interest, scientific research historical research or statistical purposes; or
  • the exercise or defence of legal claims. 

How does the right to erasure apply to children’s personal data?

There are extra requirements when the request for erasure relates to children’s personal data, reflecting the GDPR emphasis on the enhanced protection of such information, especially in online environments.

If you process the personal data of children, you should pay special attention to existing situations where a child has given consent to processing and they later request erasure of the data (regardless of age at the time of the request), especially on social networking sites and internet forums. This is because a child may not have been fully aware of the risks involved in the processing at the time of consent (Recital 65).

Do I have to tell other organisations about the erasure of personal data?

If you have disclosed the personal data in question to others, you must contact each recipient and inform them of the erasure of the personal data - unless this proves impossible or involves disproportionate effort. If asked to, you must also inform the individuals about these recipients.

The GDPR reinforces the right to erasure by clarifying that organisations in the online environment who make personal data public should inform other organisations who process the personal data to erase links to, copies or replication of the personal data in question.

While this might be challenging, if you process personal information online, for example on social networks, forums or websites, you must endeavour to comply with these requirements.

As in the example below, there may be instances where organisations that process the personal data may not be required to comply with this provision because an exemption applies.

 

Example

 

A search engine notifies a media publisher that it is delisting search results linking to a news report as a result of a request for erasure from an individual. If the publication of the article is protected by the freedom of expression exemption, then the publisher is not required to erase the article.

 

CMcBag62
Newcomer I

Thank you! It makes much more sense now.
mwooly
Viewer

The previous comment is not 100% accurate.

 

I use the website, but by consenting, have I given up my right to be forgotten?
- No, you have not given up that right. That is you giving them consent to acquire the information.  The Privacy Policy link they provide explains what information they are collecting, what they are going to do with that information, who they will share it with, and how to contact them about it. 

 

Or does it mean I have to contact the company to have data removed?
- Yes.  You must still contact the company in any instance to inform them you want to be forgotten. If the company has legal need or public interest to retain the data, you may not be able to require them to delete it. Otherwise they are obligated to remove the information.

 

Does the company now have my implicit consent to collect cookie data since I have used the site? Are they no longer bound by GDPR rules?
- The site is telling you what it plans to acquire, and what it plans to do with it.  If you are ok with that, then you may proceed.  By you using the site you are providing your consent.  Those are the GDPR rules.  

Early_Adopter
Community Champion


@mwooly wrote:

The previous comment is not 100% accurate.

 

I use the website, but by consenting, have I given up my right to be forgotten?
- No, you have not given up that right. That is you giving them consent to acquire the information.  The Privacy Policy link they provide explains what information they are collecting, what they are going to do with that information, who they will share it with, and how to contact them about it. 

 

Or does it mean I have to contact the company to have data removed?
- Yes.  You must still contact the company in any instance to inform them you want to be forgotten. If the company has legal need or public interest to retain the data, you may not be able to require them to delete it. Otherwise they are obligated to remove the information.

 

Does the company now have my implicit consent to collect cookie data since I have used the site? Are they no longer bound by GDPR rules?
- The site is telling you what it plans to acquire, and what it plans to do with it.  If you are ok with that, then you may proceed.  By you using the site you are providing your consent.  Those are the GDPR rules.  


I don't think that use of the site would provide explicit, informed consent based on limited use of the personal data, to my mind the below is at best implicit consent, there is no purpose specified and no limit of use, retention period etc. It's not compliant with the requirements of the GDPR.

 

THIS WEBSITE USES INFORMATION GATHERING TOOLS INCLUDING COOKIES, AND OTHER SIMILAR TECHNOLOGY.
BY USING THIS WEBSITE, YOU CONSENT TO USE OF THESE TOOLS. IF YOU DO NOT CONSENT, DO NOT USE THIS WEBSITE. USE OF THIS WEBSITE IS NOT REQUIRED BY XXXX. OUR PRIVACY POLICY IS LOCATED HERE

mwooly
Viewer

The last line, talking about the "privacy policy is located here" would have that information.  When you enter any UK site these days, that cookie box pops up letting you know cookies are being processed, and as part of the privacy policy, explains how that and any other information that may be collected is being used.

Early_Adopter
Community Champion

It's still implicit and doesn't have the specificity of purpose a the point of collection.That a cookie is being processed by the site is incidental under GDPR it's focused on personal data. What data? What for? What will we/you/I do with it? How long will we keep it? How can you withdraw consent? How do you correct your data? How do I object?

 

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-bas...

 

Here's what needs to go into a privacy notice, pre-checked boxes and just using the fact that you use the site is not good enough, you'll need explicit consent collected and recorded:

 

https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-contr...

 

I would expect anyone falling back to 'Privacy Policy Here' under the GDPR to not be compliant come May 25th and for it to be very visible online. 

 

There are other laws that cover cookies and other electronic communications:

 

https://ico.org.uk/for-organisations/guide-to-pecr/what-are-pecr/

https://ec.europa.eu/digital-single-market/en/news/proposal-regulation-privacy-and-electronic-commun...