@Jacques314
The General Data Protection Regulation (GDPR) which became law in May 2018, codifies EU citizens 'right to erasure', often known as the 'right to be forgotten'.
GDPR decrees that an EU citizens data rights, in general, override “the economic interest of the search engine, and also the interest of the general public in finding that information upon a search relating to the data subject's name"
The GDPR has expanded and developed this 'right to erasure' to include all data held by any organisation, whether the information is publicly available or not. Under the GDPR any EU citizen has a right to have all personal information deleted by an organisation:
* Where the data is no longer necessary in relation to the purpose for which it was originally collected
* Where the citizen withdraws consent and there are no legal or other overriding legitimate interest for continuing to hold the data
* Where the data was illegally processed
GDPR also flips the burden of proof from the 'data subject' i.e. the citizen to the 'data controller' i.e. the organisation – while in the past the data subject would have to prove they had the right for their data to be destroyed, the burden of proof now lies with the organisation which now has to prove that they have a legal basis for retaining control of, or access to, the 'data subjects' data
The GDPR states that data controllers must communicate with data subjects “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Where an EU citizen wants to exercise one of their rights the 'data controller' has to comply “without undue delay” or at most within a month of the request.
Related GDPR Articles -