The right to be forgotten - with a convenient sample letter!

An enormous amount of information is recorded about us. Almost every step we take - on the internet, but often also literally - is stored somewhere. We give a lot of information away about ourselves: where we are, what we buy, with whom we interact, you name it.

Now this in itself isn’t necessarily a problem, were it not for the fact that not every company or authority handles our data with care. Your data is used more often than you think for purposes you may not entirely support. For example, it is sold to third parties for a lot of money. Or even worse: your data ends is up for grabs if a company doesn’t have all their security checks under control.

When a data leak occurs, it is possible that you too will become a victim of it. Your account data becomes accessible to be picked up by anyone with bad intentions.

A few years ago this website was launched. On it you can check if your email address was part of a data leak.

If this is the case, do not panic. This doesn’t necessarily mean that your account, and associated data, has been misused. It is however wise to change your password as soon as possible. Also do this for any other accounts that you’ve used that password for.

Unfortunately, sometimes your data is misused. The more information that is available about you online, the easier it becomes to commit identity fraud with your data.

So make sure you ‘protect’ your accounts as much as possible against this. How you go about this differs for each account. Any somewhat legitimate business you have an account with will offer an option in their menu where you can alter your account and privacy settings.

Privacy violations can also occur on a large scale. Remember the Cambridge Analytica scandal? Where sensitive Facebook data was collected and surreptitiously used for political gain?

We have previously written an article on 10 ways to guarantee your online safety.

To ensure that your data is handled with care, a law has been put in place that protects your privacy: the General Data Protection Regulation (GDPR).

This law states, among other things, that if a company no longer has a good reason to save your personal data, they’re obliged to delete it. Simply put, you have ‘the right to be forgotten’, which means that a company ‘forgets’ your data.

A term that is often used when it comes to personal data is ‘data minimisation’. This means that companies can’t collect more data than is absolutely necessary. To be precise, data minimisation means that in the collection and processing of personal data, no more data may be collected than is strictly necessary to achieve the purpose for which they are to be used.

In some cases you do not have the right to be forgotten.

Sometimes a company is not legally obliged to delete your data. This applies to cases where the processing of data is required by law (e.g. the data required by the Tax and Customs Administration (Belastingdienst)), is important for maintaining public order (such as the police), is in the interest of public health or legal action (a suspect cannot request personal data to be forgotten in court) or the deletion request is contrary to the freedom of expression.

In most cases you do have the right to be forgotten.

You can ask an organisation to delete your data in any of the following situations (make sure you always mention one of these reasons when invoking your right to be forgotten!):

• The organisation no longer needs your data. When your data is no longer relevant to a company and is no longer being used for the previously intended purpose, then the data must be deleted according to the data deletion obligation.
• You object to the use of your data. Under the GDPR, you can always request that the processing of your data be stopped.
• You have previously given an organisation permission to use your data, but revoke this permission. Organisations must comply with this and remove all personal data mentioned in the request. A good example of this is the newsletters sent out by some companies. If you respond that you no longer wish to receive their letters, the company must comply.
• Your data is being processed unlawfully. For example, when a company does not adhere to the privacy laws when handling your data. If this is the case, then you always have the right to be forgotten.
• The legally defined period of time during which a company can store your data has expired. In this case, organisations are legally required to delete your data.
• Your child is under the age of 16 and yet personal information has been collected through the use of apps or a website. In this case, their personal data was obtained unlawfully which means they have the right to be forgotten.

When someone passes away it is not only important to, for example, terminate their rent contract and cancel their subscription services, but it is also important to protect their personal data. The GDPR, the law that we can use to protect our data, does not apply to the deceased. Most social media platforms do, however, allow you to report that someone has passed away. In addition, you can often specify whether you want an account to be deleted. On some platforms you can even have a commemoration page set up.

Curious about what happens with your data when you delete an account? That depends on the website in question.

Deleting your Facebook account is not straight forward. First, you’ll be redirected to the option to deactivate your account. When you deactivate your account, your personal data will still be saved. You can log in again at any moment. Only once you’ve deleted your account, will Facebook start to delete your personal data.

The deletion process can often take up to 90(!) days. Also when you delete apps on your phone, your data will be saved. You delete the app, not your data. So pay close attention to this when your goal is to protect your personal data.

Would you like a company to delete your personal data? The best way to do this is in writing or through email. This means you’ll then receive evidence that you could use to file a complaint with the Personal Data Authority. A few things must be stated in such a letter or email, i.e. your reason, such as those listed above, and the data that you want deleted.

Do you want a company to delete your data after reading this article? What you need to do is simple:

1. Copy the sample letter below and fill in the parts written in italics with your own data.

2. Print this letter;

3. And send it to the company in question

   If all goes well, you will receive a response within a month stating that your data has been deleted. Please note that you must give one of the legitimate reasons as to why you want your data deleted. Be sure to name at least one of the 6 reasons listed above, applicable to your case, in the letter.

__

[Name]

[Address]

[Postcode and City]

[date]

Subject: Request to delete personal data

To whomever it may concern,

With the sending of this letter, I request my personal data to be deleted. I hereby invoke Articles 12 and 17 of the General Data Protection Regulation. The data that I wish to have deleted are as follows: [fill in which data you want to have deleted, for example: my account and all related data]. The reason for this request is as follows: [fill in one of the reasons listed below].

I kindly request a written reaction, in which is stated whether my request has been fulfilled. If my request for the deletion of my personal data cannot be fulfilled, please inform me of the reason.

Kind regards,

[Name]

[Address]

[Postcode and City]

__

• My personal data is no longer needed for the reason it was originally collected

• I object to the use of my personal data

• I have previously consented to the use of my personal data, but I hereby withdraw my consent

• My personal data is being processed unlawfully

• The legal period for the storage of my personal data has been exceeded

• You are processing personal data from a person under the age of 16