Blogs from lawyers
in Amsterdam

The right to erasure under the GDPR in the Netherlands

The right to erasure under the GDPR in the Netherlands

Since May 25th, 2018, the General Data Protection Regulation (GDPR) has come into force, meaning that the same privacy legislation is applicable in all member states of the European Union (EU). Thus the Dutch Protection of Personal Data and Privacy Law (Wet bescherming persoonsgegevens) is no longer in force. The GDPR has brought about changes; organizations now have more responsibilities and may incur fines of up to EUR 20,000,000.-.

The right to erasure

According to article 17 GDPR, data subjects have the right to erasure meaning that organizations are, in some cases, obliged to remove personal data at the data subject's request.

Conditions for the right to erasure

The right to erasure is not endless; here are three examples of where the right to erasure is applicable. The first example where the right to erasure arises is where the personal data is no longer necessary with regards to the purpose for which it was collected or processed.

Another example of where there is a right to erasure is where the data subject had given their approval at an earlier stage to the organization for the use of its data but now withdraws their approval.

The third example where the right to erasure arises is when the data subject is making an objection against the processing of their personal data. Article 21 GDPR outlines that there is an absolute right of objection against direct marketing and there is a personal right of objection if the rights of the data subject outweigh the interest the organization has in processing the personal data of the data subject.

The unlawful processing of data

If the organization processes personal data unlawfully (i.e. if there is no legal ground for the process) then the data subject has a right to erasure. Furthermore, an organization has an obligation to delete the personal data after a certain amount of time, and children younger than 16 years have the right to erasure if their data has been collected by an app or website.

When is there no right to erasure under the GDPR?

According to the GDPR there are some situations where there is no right to erasure. For example, no right arises when: the processing is necessary to practice the right of freedom of speech and information; the organization processes the data to meet its statutory obligations; the organization is processing data for tasks carried out in the public interest or public authority; the organization processes data for a task carried out in the public interest and public health; the organization has to keep records in the public interest and when the data is necessary for legal action.

Furthermore, article 23 of the GDPR outlines a few general exceptions to the data subject's right to erasure, resulting in special circumstances where organizations are able to disregard a data subject's requests. The organization will then have consider, on the balance of interests, whether their interest (the rights and freedoms of others) outweigh the privacy right of the data subject. For instance, a data subject should not be able to rely on the right to erasure to remove traces of criminal behavior.

What should my organization do when a subject requests to remove its data?

In principle, if the data subject expresses that they wish to exercise their right to erasure, the organization should remove their data promptly - or at least within a month. In situations where the request of the data subject is very complicated, the organization may be given two months extra time. If after the two extra months the organisation still requires more time, then it will be obligated to inform the data subject that the request will take longer.

If the data subject requests your organization by e-mail to remove their data, the organization should, in principle, respond by e-mail. The request should be free of charge for the subject, however in the event that the organization can prove that the request is unfounded or excessive, a reasonable fee may be incurred. It is important to bear in mind that the request may also be denied.

When data has been distributed to third parties

In the event the organization has distributed the data to third parties, the organization is obligated to inform the third parties that the data has been (or has to be) erased. The organization should inform the third party that every copy and/or link to the personal data should be erased. For instance when an organization is publishing on a website, search engines will have to be informed. Therefore, you may have your webpage indexed from the bottom up. The erased personal data will no longer appear in search results of the search engine. The data subject may ask which third parties your organization has informed, and the organization will be obligated to inform the data subject about this. Keep in mind that the right to erasure is also applicable on backups.

Privacydesk attorneys

Would you like to have any more information concerning the GDPR in the Netherlands? Does your organization need to comply with right to erasure requests? You can ask all your questions concerning the GDPR in the Netherlands to Lisa Jie Sam Foek, one of the privacydesk attorneys.

LAW - associated firm

Together with a number of international law firms outside
The Netherlands, Blenheim is member of Lawyers Associated Worldwide.

read more

Contact form



Contact form