• September 24, 2024
  • Jim
  • 0

GDPR has been in place for over six years now but it’s still important to revisit the topic from time to time so we clearly understand data subject rights under GDPR and someone’s right to erasure, restriction or objection.  The Data Protection Act (DPA) 2018 provides the legal structure that governs how the government, organisations and businesses use and store your information. Including what they use it for, how they store it, how long they keep data, and when and how they should erase it.

The General Data Protection Regulation (GDPR) comes into effect through the Data Protection Act. You also have several rights as an individual under the GDPR. In this series of posts, we’ll explain each data subject right and what it means to the data subject.

The Right to Erasure

Under article 17 of the GDPR, data subjects have the right to request that their personal data be erased. The individual holds the right to have their personal data erased without undue delay, and the data controller i.e. the organisation or business, must delete the data without any delay.

Individuals can exercise their data subject rights under GDPR if:

  • The data being held is no longer needed for the reason it was collected
  • The individuals withdraw their consent for the data being used
  • An individual objects to the processing of the data and the controller has no legitimate reason to override this
  • The data subject objects to the processing of their personal data for marketing reasons, and that is the only reason the data is being held, then it must be erased.
  • Personal data has been processed unlawfully
  • It is a legal compliance obligation
  • Data has been processed to provide information society services to a child

The GDPR right to erasure is also known as the “right to be forgotten”. It applies to all and any information that the organisation stores on that individual and can relate to live and backed-up data servers.

It can be argued that the most explicit of the rights in this blog is the right to erasure. Where data must be deleted immediately with undue delay. There are no two ways around this, and once a right to erasure has been received, the data controller must process this action.

The Right to Erasure and Children’s Rights

Because of the enhanced protection of children’s rights, when an organisation collects and stores information from children, it must give particular priority to a request for erasure. This is largely applicable to when consent was gained from a child, and it still relates to a request for erasure even if the child is now an adult. 

This is because even if a child has given their consent, they may still not be fully aware of what that means.

Telling Others About the Erasure

If an organisation has shared personal information with other individuals, organisations, or agencies, then they must inform them about the erasure and those secondary organisations must also erase the data or ensure that they no longer share any links to the original data source.

This also applies to data that has been shared in public spaces. It must be deleted, and if it cannot be deleted wholly, links, copies and replicas of the data must be removed.

The Right to Restriction

Under article 18 of the GDPR, data subjects have the right to limit or restrict the way in which their data is processed and used. This is an alternative to the right to erasure and restriction may only last for a certain period of time.

There are a few reasons why a data subject may request the restriction of their data, these are; 

  • The accuracy of the data
  • Data has been unlawfully processed
  • The data subject needs the organisation to keep the data for legal reasons
  • The data subject has objected to the processing of data but the data controller believes that they have legitimate reasons to have the data

In order to rightfully restrict the processing of information, organisations must have the correct and appropriate methods and procedures in place to note that further processing of the information has been restricted.

What is the Definition of Data Processing?

The ICO (aka the Information Commissioner’s Office) defines processing as “a broad range of operations including collection, structuring, dissemination and erasure of data.” So when restricting data, the relevant processes need to be carried out depending on how the data is being used.

A few examples provided by the UK GDPR include – moving the data to an alternative processing system, making data unavailable to users or temporarily removing information from published sites.

Can my Data Still be Used During Restriction?

The short answer is no. 

If a request for restriction has been received, all processing of the data must stop immediately. 

The only reason the data can and should be used is to store it. 

You also cannot erase the data as a request for restriction does not justify erasure.

Telling Others About the Restriction

As with a request for erasure, the data controller must inform other individuals or organisations that the data has been shared with that a request for restriction has been made.

Your Right to Objection Under GDPR

Under article 21 of the GDPR, individuals have the right to object to the processing or use of their personal data in certain circumstances. If a right to object has been raised, the controller must stop using the data immediately unless they have a legitimate reason to do so.

Individuals have an absolute right to the objection if the data is processed for marketing purposes. They can also object if the processing is for

However, the above reasons are not absolute.

The Right to Objection and Direct Marketing

An absolute right to objection means that the data controller cannot refuse the request on any grounds. If an individual objects to receiving direct marketing, organisations can either erase their data completely or suppress it so that they still keep parts of their data, but the individual does not receive direct marketing again in the future.

In this case, direct marketing refers to any action by a company or organisation to market its products or services directly to an individual.

How the Right to Erasure, Restriction and Objection Relate to Each Other

The right to restriction and the right to objection hold close similarities to other GDPR rights eg. the right to rectification . The right to rectification concerns making changes and amendments to the information stored, and whilst the information is being processed, an individual can exercise the right to restriction and objection.

It is possible for the three rights listed above to affect each other where the actioning of one request may lead to the other. For example, with the right to erasure, if the data subject objects to the processing of their personal data for marketing reasons, and that is the only reason the data is being held, then it must be erased.

Similarly, a data controller can refuse to comply with a request for erasure, restriction and objection if the request is deemed to be excessive or manifestly unfounded.

The ICO has a wide range of resources and advice where you can find more information about your rights as an individual which we recommend you visit.  If you are an organisation or business who needs help supporting your own clients with Data Subject Access Requests please get in touch.

Book a Call

We have experts here to help you