The Right to Be Forgotten, or How to Erase Your Personal Data under GDPR

Approximate reading time: 4m 27s

How to erase your personal data lawfully, or how to exercise the right to be forgotten

In the digital era, personal data is processed massively and daily by various controllers: social networks, online stores, banks, state institutions, employers, and others. That is precisely why the protection of privacy is at the heart of the General Data Protection Regulation (GDPR) and the Personal Data Protection Act. One of the most important rights citizens have is the right to erasure of personal data, also known as "the right to be forgotten".

In this article, we will look at when and how you can exercise this right, what controllers must do, what European and Bulgarian institutions say, as well as examples from the real practice of the Commission for Personal Data Protection (CPDP).

The course "GDPR Regulation for Personal Data Protection" is designed for anyone who wants to become familiar with the rights and obligations under the regulation, as well as its application in Bulgaria.

What is the right to be forgotten?

The right to erasure is regulated in Article 17 of the GDPR. It gives individuals the opportunity to ask personal data controllers to erase their data under certain conditions. The main grounds for this are:

• The personal data is no longer necessary for the purposes for which it was collected or processed;

• The person withdraws their consent and there is no other legal basis for the processing;

• The person objects to the processing (e.g. for direct marketing);

• The data has been processed unlawfully;

• The data must be erased in order to comply with a legal obligation (e.g. a requirement under national legislation);

• The data was collected in the context of offering an information society service to a child.

It is important to note that the right to erasure is not absolute. There are exceptions, for example when processing is necessary for the exercise of freedom of expression, compliance with a legal obligation, archiving in the public interest, scientific research, or the establishment of legal claims.

How do you submit a request for erasure of personal data?

Any citizen may submit a written request to the relevant personal data controller. The request should include:

1. Identification of the person (name, personal ID number/foreigner's personal number, correspondence address);

2. A clearly stated request for the erasure of specific personal data;

3. The ground (e.g. withdrawn consent, expiry of the retention period, etc.);

4. Date and signature.

Request templates can also be found on the CPDP website.

The controller is obliged to respond within one month, and in the event of complexity, the period may be extended by another two months. In case of refusal, the controller must justify its decision, and the citizen has the right to file a complaint with the CPDP.

How does the CPDP respond to a complaint about refused or incomplete erasure?

The CPDP investigates the complaint and, if it finds a violation, may impose:

• An obligation to delete the data;

• Financial sanctions – fines that, depending on the severity of the violation, can reach up to 5% of the controller's annual turnover;

• Recommendations and corrective actions.

The 2024 annual report of the CPDP notes that the right to erasure is one of the most frequently exercised rights, and a large share of complaints concerns precisely the refusal or silent refusal by controllers to erase data.

Examples from the practice of the CPDP

Example 1: Personal data in an internet forum
A citizen submits a request to a web forum controller for the erasure of her personal data (posts with her name and family details). The controller does not respond. After a complaint to the CPDP, an inspection is carried out and it is established that there is a ground for erasure. The Commission orders the deletion and fines the controller BGN 2,000.

Example 2: Photos on a social network
A person requests the deletion of their photos from a business profile on Facebook, uploaded by a former employer. After a refusal, the CPDP determines that there is no legal basis for keeping them and orders their deletion, issuing a warning.

Example 3: School registration
A parent asks for the registration of their child on an e-learning platform to be erased after the student has transferred. The school refuses. After the CPDP's intervention, the data is erased, and the school is instructed to create an internal procedure for such cases.

What should controllers know?

Controllers are obliged to:

• Maintain internal rules and procedures for handling requests for erasure;

• Respond on time and with reasons;

• Ensure that erasure covers all systems in which data is processed (including backups, third parties);

• Keep a register of received requests and the actions taken on them.

Also, when personal data has been made public, the controller must inform all third parties to whom it has disclosed the data that erasure is requested – insofar as this is possible and does not require disproportionate effort.

Exceptions to the right to erasure

There are cases in which controllers have the right to refuse deletion. This may happen if processing is necessary:

• For the exercise of freedom of expression and information;

• For compliance with a legal obligation (e.g. accounting legislation);

• For reasons of public interest in the area of public health;

• For the establishment, exercise, or defense of legal claims.

For example: if you are a bank customer and request the erasure of all your data, this cannot be carried out if there is an active loan or a retention obligation under the Accounting Act.

Practical advice for citizens

• Check whether you have grounds. Not every inconvenient post can be erased.

• Prepare a written request. Use a template or legal advisor if in doubt.

• Monitor the deadlines. If you do not receive a response within 30 days, file a complaint with the CPDP.

• Keep the correspondence. It may serve as evidence in a complaint.

In summary

The "right to be forgotten" is a powerful tool in the hands of every citizen. It allows control over one's own personal data and guarantees that you will not be subject to unlawful storage or dissemination. For it to be effective, however, it must be applied correctly both by individuals and by controllers.

If you are not sure how to exercise this right or face refusal, do not hesitate to contact the Commission for Personal Data Protection or a legal advisor.

If you want to learn more about your rights and how to exercise them in various real-life situations, sign up for our online personal data protection training at store.nit.bg! The course is aligned with the requirements of the GDPR and Bulgarian legislation and is suitable both for personal data controllers and for any citizen who wants to protect themselves in the digital age.

The course "GDPR Regulation for Personal Data Protection" is designed for anyone who wants to become familiar with the rights and obligations under the regulation, as well as its application in Bulgaria.

Sources:

• General Data Protection Regulation (EU) 2016/679 – Art. 17

• Personal Data Protection Act

• 2024 annual report of the CPDP

• CPDP decisions published at https://www.cpdp.bg

How can you be "forgotten" by law? See when and how you can erase your personal data and what the CPDP says on the matter.

Read more about data protection in our article Personal Data at the Workplace: Legal Limits and Common Violations