Right to be forgotten and deletion according to RGPD

Signed by: Ruben Gálvez

The Right to Be Forgotten and Erasure: Keys to Protecting Your Digital Reputation

The right to be forgotten and erasure are legal mechanisms introduced by the General Data Protection Regulation (GDPR). Their main goal is to give individuals greater protection and control over their personal data. These rights allow people to request that their personal data be removed from the internet.

In this article, we explain what the right to be forgotten and the right to erasure are, their differences, and when and how they can be applied. In terms of your brand or business’s digital reputation, this right plays a key role in optimizing your online presence.

What is the right to be forgotten?

The right to be forgotten was established in May 2014 within the European Union. It was the result of a ruling by the Court of Justice that determined EU data protection laws allow individuals to request that search engines remove specific results linked to their names.

To fully understand the right to be forgotten and erasure, we must refer to the General Data Protection Regulation (GDPR), enacted in 2018. Article 17 of the GDPR establishes a right to erasure, similar to what the Court had already recognized.

When deciding which results to remove, search engines must evaluate the information. Data considered inadequate, irrelevant, inaccurate, or excessive may be removed. Public interest is also assessed to determine whether the content should remain accessible. Several other countries have also implemented similar laws.

Difference between the right to be forgotten and the right to erasure

Though often used interchangeably, the right to be forgotten and the right to erasure are different concepts.

• The right to erasure (under the GDPR) can be exercised against any organization processing personal data, whether digital or physical.
• The right to be forgotten applies specifically to digital environments, particularly to search engines and online content indexing.

The right to erasure involves removing the individual’s personal data from any digital or physical record. On the other hand, the right to be forgotten refers to removing search engine links or results that connect a person’s name with specific content or publications.

Additionally, the right to erasure is part of the ARSULIPO rights (Access, Rectification, Erasure, Restriction of Processing, Data Portability, and Objection). While the right to be forgotten is not explicitly listed among these, data protection laws do account for it.

When can I apply the right to be forgotten and erasure?

You may apply these rights when any of the following situations occur:

• Personal data is no longer necessary for the purpose it was collected.
• The individual objects to data processing and no overriding legitimate grounds exist.
• Data must be deleted to comply with an EU or Member State legal obligation.
• The individual withdraws consent, and no other legal basis justifies the processing.
• Data has been processed unlawfully.
• Data was collected in the context of offering information society services directly to children.

However, these rights do not apply if the data is necessary to:

• Exercise freedom of expression and information
• Fulfill legal obligations or public interest missions
• Conduct public health research or historical, scientific, or statistical studies
• File or defend against legal claims

How to exercise the right to be forgotten: Requirements and limitations

In Spain, the right to be forgotten and erasure can be exercised by contacting the data controller or processor directly or filing a complaint with the Spanish Data Protection Agency (AEPD) if the response is unsatisfactory.

Under the GDPR, controllers must provide clear, accessible information on how individuals can exercise their rights, along with free and simple communication channels—often via email.

What must the data controller do?

Once a request is received, the data controller must:

• Notify all parties involved in the data processing.
• Erase the relevant data.
• Remove links to or copies of the data.

According to the GDPR, requests must be responded to within one month. In complex cases or high-volume situations, this may be extended to two months, but the data subject must be informed of the extension and its reasons.

Failure to respond within the legal timeframe can result in penalties for violating data protection laws.

Limitations of the right to be forgotten and erasure

There are exceptions where data may not be erased, including when:

• It is necessary to comply with legal obligations
• It supports freedom of expression or the right to information
• It is required for public interest reasons
• It is needed to file or defend against legal claims
• It is used for historical, scientific, or statistical research

At 202 Digital Reputation, we specialize in removing, managing, and delisting online content.

We offer 360° digital reputation management for anonymous individuals, public figures, small businesses, and large corporations alike. Contact us to learn how we can help protect your personal data online.