Right to be forgotten under GDPR


As we all know that the Right to be Forgotten or the Right to Erasure is deemed to be an essential ingredient of our privacy rights and was highlighted or came into light in the European Union with the 2014 judgment of the Court of Justice of the European Union, involving Google. This judgement recognized that the Right to erasure is a fundamental Data Subject Right in the General Data Protection Right (GDPR). 


What is the Right to be forgotten? 

The Right to be Forgotten is mentioned under Article 17 (2) of the GDPR where it is stated that “The data subject shall have a right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.” This implies that the controller needs to check the conditions for erasure without undue delay. Apart from this, under Article 19 of the GDPR, the controller is also obliged to inform all the recipients regarding any changes or erasure made to the data and the controller shall also inform the data subject about those recipients/receivers if the data subject requests it. 


How does the right to erasure apply?  

  • If the data was collected for a purpose, and such purpose has been accomplished. 
  • In a situation where you have revoked your consent for further processing and the lawful requirement for processing of data is not there. 
  • In a situation where you deny further processing and there is no further legitimate basis for processing.  
  • In a situation of unlawful data processing.  
  • In a situation of processing your data for direct marketing purposes. 
  • In a situation where the data must be erased in compliance with a legal ruling or such obligations. 
  • In a situation where the organization has processed a child’s data to give it to information society services. 

When does the Right to process data supersede the Right to be Forgotten? 

  • When the right to freedom of expression overrides privacy rights. 
  • When the data used is to comply with legal obligation or ruling. 
  • When personal data is being used for performing a task in the public interest. 
  • When data is considered necessary for public health reasons. 
  • When data is being used for legal claims. 


The Right to be Forgotten is not an absolute right and is limited in nature with all its conditions applied. However, if one of the above conditions regarding the necessary deletion/erasure of data is fulfilled and satisfied, the data controller shall be obliged under the #gdpr to take requisite and reasonable measures without causing any undue delay.

Major Privacy Updates of the Week

Indian Defence Personnel Targeted by Android RAT Group

Since at least July 2021, a malicious Android installation programme has been observed targeting Indian defence personnel. The information was revealed in a report by Cyfirma, the APK [android package kit] file in this example is a fake version of a letter promoting the victim to the level of “Subs Naik.” Once the victim installs the malicious APK, it takes the form of an icon that looks like Adobe Reader on their device. The threat actors who created the tool were utilising a Spymax RAT (remote access trojan) variation, a programme whose source code is already accessible on dark web forums. 

Read More.

Mississippi Election Websites Knocked Offline by DDoS Attack on Election Day

Election officials in Mississippi stated that the state had been subjected to a coordinated cyberattack that periodically prevented their website from operating on Election Day. The website for the office was allegedly unavailable all day due to a “abnormally huge spike in traffic volume due to DDoS activities,” according to officials. Prior to the 2022 midterm elections, the Russian “hacktivist” organisation Killnet revealed a list of many government websites it planned to target on Telegram. 

Read More.

Hackers Began Leaking Sensitive Medical Records on Dark Web as Medibank Refuses to Pay Ransom

In the wake of Medibank’s cyberattack, it was discovered that all 9.7 million of its current and past clients were compromised. According to information provided by Medibank, the alleged hackers sought $1 for each customer’s data, totaling US$9.7 million in ransom. In response, Medibank stated that it will not fulfil the ransom demand. The ransomware group started disseminating the stolen data, which includes client names, dates of birth, passport numbers, and details of medical claims. 

Read More.

Shangri-La Hotels Hit by a Major Data Breach

Major data breach has affected the Shangri-La Group, a chain of luxury hotels. Personal information belonging to guests who stayed at its hotels in cities like Tokyo, Singapore, Thailand, Taipei, and Hong Kong was breached. The breach may have an impact on more than 290,000 people, according to the Hong Kong Office of the Privacy Commissioner for Personal Data. According to the hotel chain, it is doubtful that the compromise affected the data of the foreign government representatives who attended the defence submit in June. 

Read More.

IT Army of Ukraine Gains Access to Russian Central Bank Documents

Ukrainian IT experts have acquired access to the Central Bank of the Russian Federation’s internal networks and are analysing the data there. One of Russia’s most significant financial organisations, the central bank is responsible for creating the country’s monetary policy and regulating the currency. 27,000 reportedly stolen files totaling 2GB were made public and describe the operations of the bank, its security procedures, and the personal information of some of its present and former workers. The bank has refuted claims that its system was compromised. 

Read More.

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Ayush Sahay


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro