Last updated: 6th July 2020
GDPR introduces a right for individuals to have their personal data erased. This is referred to as the right to erasure, also known as the right to be forgotten.
The broad principal of this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
When does the right to erasure apply?
It should be understood that the right to erasure does not provide an absolute right to be forgotten. Although individuals have the right to their personal data to be erased and the prevent processing under specific circumstances;
Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- you are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
- you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- you are processing the personal data for direct marketing purposes and the individual objects to that processing;
- you have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle);
- you have to do it to comply with a legal obligation; or
- you have processed the personal data to offer information society services to a child.
Additionally, if the processing of the information is likely to cause damage or distress, this is likely to make a case for erasure stronger.
When can we refuse to comply with a request for erasure?
If it is established that there is a justified reason for erasure, we will notify all third parties of the request. They will then be required to establish whether or not there is a justifiable reason to erase such data. For full details on where your right to erasure will/will not apply please see the ICO website here
Can we refuse to comply with a request for other reasons?
We can refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
Should we consider that a request is manifestly unfounded or excessive we can:
- request a “reasonable fee” to deal with the request; or
- refuse to deal with the request.
How is a request refused?
A request will be refused formally in writing stating the reason(s) for refusal.
How do we recognise a request?
It is preferable that all requests are made in writing to ensure that no communication is misunderstood and can be easily referenced by an audit trail. We understand however that from time to time individuals may wish to exercise their right to erasure verbally.
Please ensure that identification is provided as part of your request.
Please submit all requests for the attention of the Data Protection Officer to:
- FAO Data Protection Officer – Adam Stretton, The Right Mortgage, St Johns Court, 70 St Johns Close, Knowle, Solihull, B93 0NH
How do we inform you of what data was held and erased?
When complying with your wishes to erase your data, we will first conduct an audit to establish what data is held. We will subsequently delete this data and notify you in writing.
How long do we have to comply?
We will respond to you within one month of receiving your request. If your request is particularly complex, we may extend this timeframe by up to two months however you will be notified if this is the case.
What methods do we have to erase data?
Your information will be destroyed inline with ICO guidelines.