Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

GDPR’s Most Frequently Asked Questions: Does a Company’s Reason for Processing Information Impact Whether It Must Delete it?

May 15, 2018

The European Union's General Data Protection Regulation ("GDPR") is arguably the most comprehensive - and complex - data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, Bryan Cave Leighton Paisner is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR, and concerning related data privacy laws in the European Union.

Question: Does a company’s reason for processing information impact whether it must honor a right to be forgotten request?

Answer: Yes.The right to be forgotten is not an absolute right and must only be honored in a narrow set of circumstances. 

When determining whether a right to be forgotten request must be honored one of the factors that companies look to is why they collected the information in the first place, and their purpose in continuing to use it.  The GDPR recognizes six situations in which a company may process personal data.  When processing is based on some of those situations, referred to as permissible purposes, a request to be forgotten may always be denied; when processing is based on other permissible purposes a request to be forgotten may, or may not, need to be honored depending upon additional factors. 

The following chart indicates which permissible purposes confer which substantive rights on individuals, and highlights those that relate to the right to be forgotten.  A “Y” indicates that an individual’s request may have to be honored; a “X” indicates that in almost all situations an individual’s request can be denied.

Permissible Purpose

Right to be forgotten

Right to Access data

Right to data portability

Right to rectification

Right to object to processing

Consent
(i.e., Article 6(1)(a))

Y

Y

Y1

Y

Y2

Contract
(i.e., Article 6(1)(b))

X

Y

Y3

Y

X

Compliance with legal obligation

(i.e., Article 6(1)(c))

X

Y

X

Y

X

Protecting vital interest of data subject (i.e., Article 6(1)(d))

X

Y

X

Y

X

Public interest

(i.e., Article 6(1)(e))

X4

 

Y

X

Y

Y

Legitimate interest of controller

(i.e., Article 6(1)(f))

Y5

Y

X

Y

Y

 


1. Note that processing must also be carried out by automated means in order for right to apply.  GDPR, Article 20(1)(b).

2. Although an individual does not have a right to object pursuant to GDPR Article 21, they do have a right to withdraw consent pursuant to GDPR Article 7(3).

3. Note that processing must also be carried out by automated means in order for right to apply.  GDPR, Article 20(1)(b).

4. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.

5. When a request is made the controller is required to determine whether there is an overriding legitimate grounds for processing.