The controversial “right to be forgotten” is now the law of the EU land.
For most companies, this is really a right for consumers to erase their data.
The GDPR has strengthened the DPD’s existing rules on deletion and then adds the right to be forgotten. There’s now language that would force the controller to take reasonable steps to inform third-parties of a request to have information deleted.
Discussed in Article 17 of the proposed GDPR, it states that “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay”.
This means that in the case of a social media service that publishes personal data of a subscriber to the Web, they would have to remove not only the initial information but also contact other websites that may have copied the information. This would not be an easy process!
What if the data controller gives the personal data to other third-parties, say a cloud-based service for storage or processing?
The long arm of the EU regulations still applies: as data processors, the cloud service will also have to erase the personal data when asked to by the controller.
Translation: the consumer or data subject can request to erase the data held by companies at any time. In the EU, the data belongs to the people!