Right to erasure or right to be forgotten in all EU states

The Romania legislation – Law 677/2001 on the protection of individuals with regard to the processing of personal data and the free movement of such data – shall be soon replaced with Regulation (EU) 2016/679 on the protection of personal data, to be enforced in all EU states, therefore also in Romania starting with the 25th of May 2018.

This Regulation (EU) specifically refers to one of the rights individuals have with regard to the processing of their personal data – the right to erasure also known as the right to be forgotten.

Individuals have the right to request and obtain the erasure of their personal data by the controller, without undue delay, while the controller must erase any such data where one of the following grounds apply:

• the personal data are no longer necessary in relation to the purposes for which they were collected  or  otherwise processed;
• the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation in Union or Member   State law to which the controller is subject;
• the personal data have been collected in relation to the offer of information society services for children

Where the controller has made the personal data public and is obliged to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Such requests for erasure shall not be approved when the processing of personal data is necessary for the exercise of certain rights such as the freedom of expression and information, for compliance with a legal obligation that requires the processing of personal data according to Union or Member State Law to which the controller is subject or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Moreover, such requests will not be approved when processing is required for health purposes, including public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, while the erasure of personal data would adversely affect the accomplishment of the data processing objectives, or when the controller must keep such personal.

For the exercise of this specific right, the data subject must submit a request to the controller for the erase of its personal data. Provision of grounds is not mandatory and there are no specific form requests.

Such requests must be solved by the controller as soon as possible, however no later than 30 days after receiving the request. If the controller can’t solve the request in 30 days, it must inform the applicant that an extension is necessary by providing reasonable grounds for such delay. However, the extension of the initial 30-day deadline can’t be of more than 2 months.

If the data subject is not pleased with the reply issued by the controller, he/she can submit a complaint with the relevant Authority.

Publisher: Budusan si Asociatii