Risk & Compliance

GDPR and the right to be forgotten

Since 2018, the General Data Protection Regulation (GDPR) has been in force. Part of the GDPR is the right to be forgotten. If, as an organisation, you have no good reason (anymore) to continue processing someone’s personal data, it is important that you erase this data. Data subjects have the right to oblivion, i.e. that you ‘forget’ them. They may ask for this before your own retention periods expire. How do you handle this?

Date:April 2, 2022

The right to be forgotten

Data subjects can ask you to delete their personal data in a number of cases. You must delete a data subject’s personal data in the following situations:

  • No longer needed: You no longer need the personal data for the purpose for which you collected it or for which you process it.
  • Consent withdrawn: A data subject has previously given you consent to use their data, but now withdraws that consent.
  • Objection: a data subject objects to the use of their data. For example, because of a changed personal situation.
  • Unlawful processing: You process the data subject’s personal data unlawfully. For example, because you do not have a legal basis for the processing.
  • Legal retention period expired: You are legally obliged to delete the data after a certain period of time.
  • Apps and websites with children: You have collected personal data from a data subject under 16 through an app or website.

The right to be forgotten does not apply in some exceptional cases. For example, you may not delete data if you are legally obliged to use someone’s data or keep it for a certain time.

How do you organise the right to be forgotten in your organisation?

When you delete someone’s data in response to an individual request, you should also inform the processors and third parties to whom you have provided the personal data that they should delete certain personal data. Make sure you check everything carefully. So that, for example, someone does not still receive an advertising email even though you have confirmed that his/her email address has been deleted from the organisations’ files.

People sometimes ask organisations to prove that their personal data has really been deleted after a request. However, it is not possible to prove that you don’t have personal data (anymore). However, you can indicate what has been done with specific personal data. By law, you are obliged to give people feedback if they invoke their privacy rights. Based on that response, someone may assume that your confirmation is correct. Preferably give the feedback in writing (e.g. by e-mail). Be as specific as possible, for example about which data you have deleted and when. Also indicate with reasons which personal data you have not deleted and possibly when you will do so.

If anyone has doubts about the implementation of their request, they can file a complaint with the Data Authority.


When the retention period of personal data has expired, you must also delete it under the right to be forgotten. In many cases, however, it is not technically possible to delete data from systems. To overcome this, data can be anonymised. This is also known as data masking. This is an irreversible method in which personal data is processed in such a way that it can no longer be used to identify a person. Once data is anonymised, the AVG no longer applies because at that point it is no longer personal data.

An additional advantage is that this way, data can be preserved for statistical purposes, for instance. However, anonymisation should be done by authorised persons and within the applicable rules. After all, until the data is anonymised, it is still personal data to which the AVG applies.

Methods to anonymise data are:

  • Data can be translated into other data completely arbitrarily.
  • Data within a dataset can be shifted. Surnames, for example, can be swapped.
  • Certain data, such as the first digits of a number, can be deleted.
  • All day or month numbers can be replaced by the same number, e.g. zero or one.
  • Data can be (partly) replaced by random, notional data from another data set.
  • Data can be replaced via predefined rules.
  • Most importantly, the process must be irreversible. The key used to anonymise data must not be kept. If that key is still there, it is pseudonymisation. Pseudonymised personal data is still subject to the AVG.

Is your organisation (still) GDPR proof?

Privacy protection is an ongoing process that contributes to people’s trust in your organisation. Yet it turns out that many organisations have questions about implementing the GDPR in practice. As an organisation, how do you facilitate customer privacy rights? Or what about employee data processing? And when do you have to report a data breach to the Data Authority?

Our privacy specialists can help you answer these questions. Please feel free to get in touch for a free consultation.