These articles inform us on how we have the right to be erased, or at least forgotten about. This also includes a provision to be notified when our request has been fulfilled. These rights allow us to have more control over who has our data and who may use it. Additionally, these articles also outline our right to retrieve our data from an entity, have it erased completely, and then provide it to another entity with ease. The process to have the data erased should be as simple as it was to provide. The process to move our data from one entity to another should also not place an undue burden on the data subject. Let’s look at these articles in more detail below.

Article 16 – Right to Rectification

1. The data subject has the right to obtain from the controller the rectification of their personal data if inaccurate. If the data is incomplete, the data subject has the right to have that data be taken into a completed state, taking into account the purposes of the processing.

Article 17 – Right to Erasure

1. The data subject shall have the right to obtain evidence of the erasure of their personal data from the controller. The controller must erase the personal data without undue delay where one of the following applies:
   1. Personal data are no longer needed in relation to the purpose of processing.
   2. Data subject withdraws consent on which the processing is based on point (a) of Article 6 or point (a) of Article 9, and there is no other legal ground for the processing.
   3. Data subject objects to the processing, pursuant to Article 21 (1), and there is no overriding legitimate grounds for the processing, such as public health or historical records. Another option is to object pursuant to Article 21 (2).
   4. The personal data have been unlawfully processed.
   5. The personal data must be erased for compliance with a legal obligation the controller is subject to.
   6. The personal data have been collected in relation to the offer of information society services. This would be in reference to collecting data of a child who is not at least 16 years old. See Article 8.
2. The controller shall take reasonable steps, including technical measures, to inform other controllers that are processing data that the data subject has requested be erased. This applies to where the data controller has made the personal data public and is obliged to erase that data, upon request, pursuant to paragraph 1.
3. The first two paragraphs won’t apply to the extent that processing is necessary:
   1. for exercising the right of freedom of expression and information.
   2. for compliance with a legal obligation from the Union or Member State to which the controller is subject or for the performance of a task carried out in the public interest. This would also include instances in which the controller has official authority over the data.
   3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9.
   4. for archiving purposes in the public interest, scientific, or historical research purposes, including statistical purposes.
   5. for the establishment, exercise, or defense of legal claims.

Article 18 – Right to Restriction of Processing

1. The data subject may obtain from the controller restriction of processing when one of the following applies:
   1. The data subjects contests the accuracy of the data, allowing the controller to verify the data’s accuracy.
   2. The processing is unlawful and instead of erasure, the data subject requests the restriction of the processing instead.
   3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for establishment, exercise, or defense of legal claims.
   4. The data subject has objected to processing pursuant to Article 21. This is pending the verification of the legitimacy of the controller overriding he request.

Article 19 – Notification Regarding Erasure or Rectification

1. The controller shall communicate any rectification or erasure of personal data or restriction in carrying out in accordance with Articles 16, 17, and 18 (see above). This shall be done to each recipient to whom the personal data have been disclosed (so anyone who received personal data from the controller). If this is impossible or involves disproportionate effort (whatever that might mean), then the controller must send this notification instead of the former. The controller also must inform the data recipients (a company, for example) if the data subject (you and me) has requested their data.

Article 20 – Right to Data Portability

1. The data subject has the right to receive the data they requested in a structured, commonly understood format from the controller. The data subject also has the right to transfer this data to another controller without hindrance from the controller that provided the requested data where:
   1. The processing is based on content pursuant to Article 6(1)(a) or Article 9(2)(a). This can also apply to a contract pursuant to Article 6(1)(b).
   2. The processing is carried out by automated means.
2. The data subject shall have the right to have the data transmitted directly from one controller to another when technically feasible, and without hindrance.
3. The exercise of the right in point 1 above shall be without prejudice to Article 17. This right does not apply to the processing of a task carried out in the public interest or in the exercise of official authority vested in the controller.
4. The rights referred to in point 1 above shall to adversely affect the rights and freedoms of others.

How does this apply to us?

Let’s assume we are Union citizens when applying these articles. If I discover that my data is inaccurate, incomplete, or obtained without my consent, I can request that the controller correct or erase my data, or in other words, “forget” me. I am also entitled to receive a notification from the controller once this process has been completed. I may also request that the processing of my data be restricted if I believe it should be and I did not consent for it to be collected in the first place. If any of these situations play out, the controller I requested has to inform the other recipients of the data of my request and the actions they must take. Lastly, I may also have my data transferred to another controller without undue delay. If I want my healthcare data transferred to another provider, I have the right to have that happen.

So, say a company specializing in tree removal sends me advertising mail, specifically addressed to me with personally identifiable information (PII) on the letter. This company didn’t obtain this info from me, so I would need to determine how they obtained that information and then contact the controller to get my information erased. This controller of the marketing research company that the tree company bought my information from would need to erase my data and also contact all companies that have my data as well. The other companies would need to also erase my data.

Of course, this sort of thing would not apply to instances of public health, criminal investigations wherein the controller has official authority, or scientific and/or historical purposes, as mentioned in previous articles. For example, during the COVID-19 pandemic, the processing of data in the interest of public health would supersede the provisions in the articles. However, once the pandemic has ended and a sufficient amount of time has passed, the data subject will have a good chance of getting their data erased if they request for it to be.

HARVEY AND ROSS

When we look back at the interaction between Harvey and Ross and the research study with the clinic, we remember that Harvey was provided all the details (almost if you check back to Articles 7-8) around what would be done with his information. There wasn’t anything in the form that hindered Harvey from backing out of the study and requesting that his data be erased, rectified, or given to take elsewhere. In this area, Ross did a good job and as the controller, is able to allow Harvey access to his data.

Where it gets tricky is where Harvey wasn’t informed that his data was being used by another party. Ross would need to inform that party if Harvey requested an erasure or any restriction of processing his data. Obviously, Harvey wouldn’t know Ross would do this since he didn’t know Ross was doing this in the first place. And although it was in the interest of public health, it was a research study and not related to anything major, such as COVID-19 or something similar.

At the end of the day, Ross provided Harvey with what he needed to exercise the rights in each of the articles seen in this newsletter. If Harvey had requested all his data, Ross would need to provide it, including what was given to the third-party research lab. Any competent person, which we know Harvey to be, would realize that the source of that data wasn’t from Ross’s clinic. Unless Ross lies and says all the data is from his clinic, he wouldn’t violate the articles above as long as he is able to fulfill Harvey’s request. If the request is unreasonable, Ross must be able to show why.

---

See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.

Once you understand how valuable your information is, then you can begin taking steps to keep it private.