The General Data Protection Regulation will be implemented in May 2018. The EU has created this policy in order to be up to date for the digital age and put individuals back in control of their own personal data. One specific part of GDPR is the right to erasure, also known as the right to be forgotten. This means that individuals will be able to request the removal of their personal data regardless of the reason.

Where does this apply?

The implementation of GDPR and the right to erasure will give people a lot more power and rights over their data, however, this doesn’t actually mean an absolute right to be forgotten. Individuals will have the right only in certain circumstances.

Specific circumstances include:

  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overruling legitimate interest for continuing the processing
  • If personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
  • The personal data was in breach of GDPR and unlawful
  • The personal data is required to be erased in order to comply with a legal obligation
  • The personal data is processed in relation to the offer of information society services to a child

Currently, under the Data Protection Act, an individual’s right to erasure is limited to processing that causes unwarranted and substantial damage and distress. However, under GDPR this threshold is not stated. Nevertheless, there will still be requests for rights to erasure which organisations can refuse to comply with.

For example, purposes such as complying with legal obligations, public health purposes and to exercise the right of freedom of expression and information. A case by case assessment will be needed to consider the type of information, the sensitivity of the individual’s private life and public interest in having access to the information.

Organisations must accept that personal data rights will be changed to give more rights back to the individuals as opposed to the data controllers. The right to erasure will mean that organisations will need to create a simple process for individuals requesting a right to erasure.


To find out more, check out the Compliance Briefing – a special event hosted in Malta that will focus on the likely impact GDPR will have on critical processes for the gaming industry and provide a framework to keep your organisation GDPR compliant. The Compliance Briefing will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information on the conference and booking details are available at www.compliancebriefing.com