Article 17 of the GDPR, The Right To Erasure, states:
Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
The controller doesn’t need the data anymore
The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it [N.B. Many will, e.g. banks, for 7 years.])
The subject uses their right to object (Article 21) to the data processing
The controller and/or its processor is processing the data unlawfully
There is a legal requirement for the data to be erased
The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)
If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.
Data might not have to be erased if any of the following apply:
The “right of freedom and expression”
The need to adhere to legal compliance, e.g. a bank keeping data for 7 years.
Reasons of public interest in the area of public health
Scientific, historical research or public interest archiving purposes
For supporting legal claims, e.g. PPI offerings.
Out of Scope
Non-electronic documents which are not (to be) filed, (i.e. it’s data you can’t search for), e.g. a random piece of microfiche, or a paper notepad, are not classed as personal data in the GDPR and are therefore not subject to the right to erasure.
Not Going to Happen
Some personal data sets are impossible (or infeasible) to edit to remove individual records, e.g. a server backup or a piece of microfiche. Whilst these uneditable data sets are in-scope of the erasure Right, themselves they would be out-of-scope for erasure editing procedures due to their immutable nature. If you can destroy the whole microfiche and not worry about losing other data then great. It’s the “editing” of microfiche that wouldn’t be possible here.
The Real World
Once an organisation understands where all a subject’s personal data resides, an assessment must be made of what can be, should be, can’t be, and is infeasible to be erased. The exceptions above will commonly apply, such as legal requirements for data retention. But this doesn’t mean that the controller should keep the records “live” in an online system. To best protect the personal data it ideally should be archived away to a more protected and locked down system that meets the retention requirements and also goes as far as possible at meeting the data subject’s desire to be erased.
Importantly, these exceptions can’t be used as an override, e.g. allowing the controller to keep considering the subject as an active customer that they can keep marketing to. The Principles of GDPR should keep the controller focused on best serving the rights of the data subject as much as possible, whilst meeting their wider requirements.