Right to erasure and right to data portability

The rights to erasure and to data portability should not be omitted in our discussion of data subjects’ rights.

The right to erasure (also known as “the right to be forgotten”) is to be found in Article 17 GDPR. It allows data subjects to obtain from data controllers the erasure of personal data concerning them without undue delay. This right, however, does not apply when, for example, the processing is necessary for the exercise of the right to freedom of expression and information; when there are reasons of public interest in the area of public health; or when legal claims must be established, exercised or defended.

“The right to be forgotten” was dealt with by the Court of Justice of the European Union (CJEU) in the judgment from 13 May 2014 involving Spanish citizen Mario Costeja González, the Spanish Data Protection Agency, Google Spain and Google Inc. The Court has observed that data subjects have a right to erasure meaning that information in search engines is not linked to data subjects’ names and that the search engine operators may be required to remove links to third party websites with personal information. If there is a significant interest of the general public to have access to this information, this interference with fundamental rights may be justified.

Data subjects also have the right to data portability or, in other words, the right to receive from controllers personal data concerning them in a structured, commonly used and machine-readable format and to transmit these data to other controllers. This has been laid down in Article 20 GDPR. If it is technically possible, personal data can be directly transmitted from one controller to another. The right to data portability is not applicable to the tasks carried out in the public interest or in the exercise of official authority by the controller and it cannot be invoked to adversely affect the rights and freedoms of others.