Article 17 of the GDPR, The Right To Erasure, states:
Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
The controller doesn’t need the data anymore
The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it [N.B. Many will, e.g. banks, for 7 years.])
The subject uses their right to object (Article 21) to the data processing
The controller and/or its processor is processing the data unlawfully
There is a legal requirement for the data to be erased
The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)
If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.
Data Subjects have the right to obtain erasure from the data controller, without undue delay, if one of the following applies:
The controller doesn’t need the data anymore
The subject withdraws consent for the processing with which they previously agreed to (and the controller doesn’t need to legally keep it [N.B. Many will, e.g. banks, for 7 years.])
The subject uses their right to object (Article 21) to the data processing
The controller and/or its processor is processing the data unlawfully
There is a legal requirement for the data to be erased
The data subject was a child at the time of collection (See Article 8 for more details on a child’s ability to consent)
If a controller makes the data public, then they are obligated to take reasonable steps to get other processors to erase the data, e.g. A website publishes an untrue story on an individual, and later is required to erase it, and also must request other websites erase their copy of the story.