blog
The right to be forgotten: a non-absolute right
November 3, 2020
1 min read
The General Data Protection Regulation (GDPR), which regulates how personal data can be collected, stored and erased, brought attention to this new right: the right to be forgotten.
1. What defines this right?
The right to be forgotten is a powerful one since individuals can ask entities who stored their personal data to erase it. Controllers, the entities responsible for collecting, storing, and erasing personal data, most of the time have express prior consent from individuals for data processing. So, exercising the right to be forgotten, bottom line, means that individuals withdraw that consent.
Facing this situation, controllers must, without undue delay, erase all personal data from their database.
2. Does all data processing require express consent from individuals?
In some situations, it is not required for individuals to consent data processing concerning their personal data.
An example is when we open a bank account. If you do not consent data processing in this case, the bank entity cannot fulfill its contractual obligations.
3. Is the right to be forgotten an absolute right?
Like some situations do not require express consent for data processing, there are some situations in which controllers can deny the erasure of personal data.
I highlight two examples:
- One of them, probably the most important one in our activity, is when debt recovery requires data processing. If an individual has a debt, even if he or she asks to exercise its right to be forgotten, controllers can deny it and maintain data processing since it is the only way for them to continue to enforce its right to recover the debt.
- Another example is when data processing is necessary to comply with a legal ruling or obligation (for instance, to comply with anti-money laundering regulations).
All the above shows that the right to be forgotten, like other rights, has its limits and some rights prevail over it.
Patrícia Ramos
Legal Counsel