In the week that Google loses a landmark case against a London businessman over his Right to Erasure, we take a look at what updates there are from the ICO in this particular section of the GDPR.
This week a UK citizen, who cannot be named, has exercised his right to have Google remove all online references to a spent criminal conviction from ten years ago. After the search engine giant refused to remove the data, he took them to court and won.
Google said in a statement:
“We work hard to comply with the right to be forgotten, but we take great care not to remove search results that are in the public interest.
“We are pleased that the Court recognised our efforts in this area, and we will respect the judgements they have made in this case.”
Although the Right to Be Forgotten is not new, the General Data Protection Regulation (GDPR) seeks to extend these rights for EU citizens, making it easier to be erased.
Article 17 of the GDPR states that individuals have the right to request that their personal data be removed permanently if:
You will need to inform other organisations about the erasure request if the personal data has already been shared with them or if the data has been made public online.
You can refuse the right to erasure request if it is deemed unfounded or excessive. In which case you can request a ‘reasonable fee’, or simply refuse the request.
The Information Commissioner‘s Office (ICO) gives further examples of when the right to erasure does not comply:
ISMS.online has a tool for that.
ISMS.online features a Personal Data Inventory & Records Processing Tracker to help you do just that.
The information in this blog is for general guidance and does not constitute legal advice.
100% of our users achieve ISO 27001 certification first time