by Dr Edric Micallef Figallo – Associate
The following is the sixth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed here.
This article will start dealing with the new right provided by the GDPR under Article 17 thereof, ergo the right to erasure, also known as the right to be forgotten. This right was referred in brief in the previous article in this series, which for the data subject involves “the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”. As stated, this right is a GDPR novelty for data subjects, meaning (natural) persons on which personal data is processed in some manner.
This right is not an absolute right, and the six main grounds for its exercise “without undue delay” are provided under Article 17, para. 1 GDPR, failing which said right might not apply. The right is further restricted by restrictions provided under Article 17, para. 3 GDPR. These grounds and restrictions will be dealt with in another part to this article.
In this first part, it is apt to question how may a data subject request that his data be erased?
Article 17 GDPR is silent on the modality of said request and the European Data Protection Board has not issued any “guidelines, recommendations, and best practices”, or other documents, on this right. Malta’s IDPC has not done so either.
The UK’s ICO has issued a guide to the GDPR which features a specific section on the right to erasure, and in it the UK ICO opines that “Individuals can make a request for erasure verbally or in writing.” The UK’s ICO position is certainly not binding in Malta, and might not be in the UK itself, but the position does seem to follow the whole ethos of the GDPR, which is practically silent on the matter. In the author’s view it would be advisable to require said requests to be made in writing, with adequate and impartial assistance provided for illiterate data subject, if not for all data subjects who request it. However, this point has being considered from the perspective of the data subject’s rights and obligations, in the sense that there certainly is no apparent obligation on the data subject to comply with particular procedures for the exercise of this right. Nevertheless, it is important to stress out that data controllers and processors should still be in a position to record their activities to demonstrate compliance with the GDPR. Therefore, the latter should still have audited procedures in place to process legitimate data erasure requests and give effect thereto.
In most reasonable scenarios, the exercise of this right shall be free of charge for the data subject, although the controller may opt to charge “a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested” when the request is manifestly unfounded or excessive. In the latter case, the controller may alternatively deny the request, but in both cases the controller shares “the burden of demonstrating the manifestly unfounded or excessive character of the request”. This is as provided in Article 12, para. 5 GDPR. The author deems it quite probable that, if tested, the circumstances in which a request is deemed to be manifestly unfounded or excessive would be interpreted restrictively by the competent bodies, save if obviously of such nature for any reasonable person. This is yet to be seen and a general rule would probably result as being inadequate.
There are other aspects to consider in relation to the right to be forgotten, which in the brief confines of this article cannot be duly considered or have not been mentioned. In fact this article is being divided in parts in order to provide greater detail on this very important new right provided by the GDPR.
Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on email@example.com.