According to Article 17 of the RODO, any individual can request to “be forgotten”, i.e. demand the erasure of their personal data processed by the administrator.
The data subject has the right to request from the administrator the immediate erasure of personal data concerning them, and the controller must do so without undue delay if one of the following circumstances applies:
- the personal data are no more necessary for the purposes for which they were collected or otherwise processed;
- the data subject has withdrawn the consent for the processing, and there is no other legal basis for it;
- the data subject objects to the personal data processing on grounds relating to their particular situation, to the personal data processing concerning them based on public or legitimate interests, and there are no overriding legitimate grounds for the processing; or to the personal data processing for direct marketing purposes;
- the personal data have been unlawfully processed;
- the administrator must erase personal data to comply with a legal obligation under Union law or the law of a Member State;
- the personal data were collected in connection with offering information society services as referred to in Article 8(1) of the RODO.
The administrator shall, at the latest, within one month, provide information on the action taken on the request. This period may be extended by 2 months due to the complexity of the request or the number of requests. At the same time, the administrator should verify the identity of the person making the request.
However, the administrator cannot always comply with a request to ‘be forgotten’. One such situation where the controller cannot delete the data of the person who makes the request is the legal obligation to keep the data of a particular person, e.g. a former employee cannot request the employer to delete their employee records before the period during which the employer has a legal obligation to keep them.