Erasure, Restriction and Objection – Rights – Part 3

people right to erasure

Erasure, Restriction and Objection – Rights – Part 3

In the last post in the series on data subjects rights we will be covering the right to erasure, the right to restrict processing and the right to object. In case you missed them, the first post in the series talked about access and rectification, while our second post talked about profiling and data portability.

The right to erasure (right to be forgotten)

The right to erasure, also called the right to be forgotten is not new to those familiar with the Data Protection Directive. The GDPR, however, brings changes to this right, transforming it, in the opinion of many in a worse, harder to implement right. The right to be forgotten is described in Article 17 of the GDPR.

When can it be requested?

There are several circumstances when a data subject can request erasure of their data. For example, when the data is no longer necessary for the purpose for which it was collected. Also, when the processing is based only on consent, if the data subject withdraws the consent, erasure might be necessary. The same applies if consent was given as a child.On the other, if the processing is based on legitimate interest, the data subject’s could first object to the processing. If the controller is unable to prove their legitimate interests override the interest of the data subject, erasure can be requested. However, If the processing is unlawful, again the solution could be erasure.

The right to be forgotten is actually an extension of the right to erasure. It can come useful in cases such as personal data posted on a public website. This extension requires the controller to take steps to inform all third parties of the data subject’s request, to ensure not only erasure but that data is truly ‘forgotten’.

So what is so hard about the right to be forgotten?

Well, for starters, data controllers might find it hard to determine all of the data’s recipients and inform all the other controllers. When a data subjects wants their data to be erased, all of those to whom the data had been transferred have to comply as well. Some controllers may also feel that the fundamental right to freedom of expression and information is violated. Of course, the right of freedom and expression is an actual exception to the right to be forgotten. However, many consider the line is very blur and it might be difficult to determine when the right to erasure ends and the right to freedom of expression begins.

The right to restriction

Outlined in Article 18, restriction is a new right under the GDPR. Unlike erasure, restriction allows data to continue being stored without being processed.

When and why…

would a data subject prefer restriction to erasure? Firstly, there is the case when the data subject believes the data is not accurate The controller might need time to verify this claim, in which case restriction to process the data should be applied. Also, in the case when the controller no longer needs the data, the data subject might still need it for the establishment, exercise or defense of legal claims. Again, restriction of processing will be the best solution. If the processing is unlawful, the data subject will usually want the data erased. However, in certain cases they might prefer restriction. Finally, when a data subject objects to the processing, the first solution taken is restriction until the controller can verify the legitimate basis for processing.

In short, restriction provides an alternative to erasure. It also gives a temporary solution when data is inaccurate or when the legitimate basis for processing cannot be immediately proven.

How should restriction be implemented?

The GDPR does not require specific actions, it just provides a list of possible methods such as moving the data to a separate system, making the personal data temporary unavailable. Other possible methods to implement restriction would be noting the restriction in the system, temporarily blocking a website or using the data under narrow conditions. Each controller can choose any method they want as long as the right of the data subject is respected. Once the data is restricted, it can still be processed but only with a new consent from the data subject. Also, restricted data can be processed in order to exercise or defend legal claims, to protect the rights of another person or for public interest reasons. When the restriction is lifted, the controller has the obligation to inform the data subject.

The right to object

The right to object is set out in Article 21 of the GDPR. It is not an absolute right and it applies only in certain circumstances. Firstly, when the processing of data falls in the category of direct marketing. In this case the right is absolute as a data subject can object at any time when his or her data is processed for direct marketing purposes.

Next, a data subject can object is their data is processed for research or statistical purposes. This time, objecting is not an absolute right as it can be overridden is the research is necessary for the performance of a task carried out in the public interest.

Finally, if the data is processed based on public or legitimate interests, objection is possible. In this case, the controller will need to demonstrate it has compelling legitimate interest to process the data that override the data subject’s rights and freedoms.

Summing up

Data subjects’ rights are one of the most important parts of the GDPR. Failure to comply, failure to offer one of these rights can make you face the greatest fines of the GDPR – 4% of the annual turnover, or 20$ million, whichever is higher. Equal rights for all EU citizens is the core of the GDPR, one of its greatest aims. We’ve seen throughout this three-part series that not all are new rights and they are not all easy to implement.

Photo credit:


About the author

Laura Vegh is the Chief Security Officer at, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.