In this video, Mandy Huth reports on Article 17 of GDPR. Learn what the right to be forgotten is and the situations that allow erasure, including purpose, consent, objection, lawfulness, and compliance.
- [Instructor] Article 17 of GDPR discusses the scenarios when a data subject can request to be erased or forgotten. This is likely to be a highly used request. Article seven of GDPR states it shall be as easy to withdraw consent as it is to give it. Deletion is allowed when processing no longer has a lawful basis. Data can sit in storage after its used, and some data subjects may want it deleted rather than leave it under someone else's custody.
There are five scenarios that allow for erasure. Random requests are not subject to these deletion rules. In other words, the request must fall into one of these five situations to be considered. The first is purpose. Let's site an example. If you work for Explore California and they have personal information based on your employment then at some point if you were to leave Explore California and their required HR retention period is over, then that data no long serves its original purpose and can be deleted.
Next, is consent. If the original data collection was based on a voluntary agreement, then the data subject has the right to revoke that agreement at anytime and request deletion. Third, is objection. If an organization is collecting data and the data subject contests it, if the collecting organization cannot provide a prevailing reason to continue processing that data, then the subject can require the controller to erase it. The next one goes without saying.
If the processing wasn't done legally, it must be erased. Finally, if the controller is subject to laws that require data to be erased, then they must comply with the EU member's state laws. Understanding the situations that require controllers to erase personal data is important to the overarching data subject rights.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification