Privacy

Right to be Forgotten

User right to request deletion of personal data.

Right to be Forgotten is an essential concept in modern digital marketing and ecommerce analytics. Understanding and implementing this properly enables brands to make data-driven decisions, optimize marketing spend, and improve customer experiences. Critical for competitive advantage in the privacy-first marketing landscape.

Related Terms

Frequently Asked Questions

What is the Right to be Forgotten?

The Right to be Forgotten, formally known as the Right to Erasure under Article 17 of the General Data Protection Regulation (GDPR), grants individuals the power to request the deletion of their personal data by a data controller without undue delay. This right is not absolute and and applies under specific conditions, such as when the data is no longer necessary for the purpose it was collected, the individual withdraws consent, or the data has been unlawfully processed. A key detail is that the data controller must also take reasonable steps to inform other controllers processing the data of the request, especially if the data was made public. This principle is a cornerstone of modern data privacy laws, empowering consumers to manage their digital footprint and protecting them from the indefinite retention of their personal information.

How should organizations implement the Right to be Forgotten to ensure GDPR compliance?

Organizations must establish clear, documented procedures to handle Right to be Forgotten requests efficiently and within the one-month statutory deadline. Implementation involves several key steps: first, verify the identity of the requester and confirm the request meets one of the legal grounds for erasure. Second, the organization must locate and securely delete all copies of the personal data across all systems, including backups and third-party processors. Finally, the organization must communicate the completion of the erasure to the data subject and, if the data was made public, take reasonable steps to inform other controllers of the request. Failure to comply can result in significant financial penalties under the GDPR.

What is the difference between the Right to be Forgotten and the Right to Restriction of Processing?

The primary difference lies in the outcome of the request: the Right to be Forgotten (Right to Erasure) mandates the permanent deletion of personal data, while the Right to Restriction of Processing requires the data controller to temporarily halt the processing of the data. The Right to Restriction is typically invoked when the accuracy of the data is contested, the processing is unlawful but the data subject opposes erasure, or the data is needed for legal claims. In contrast, the Right to be Forgotten is a more definitive action, resulting in the complete removal of the data from the controller's systems, subject to certain legal exceptions like freedom of expression or public health interests.

Want accurate attribution without the complexity?

Causality Engine automates attribution reconciliation and provides real-time insights for Shopify brands.

Join Waitlist →