Publications
Constitutional Law and Criminal Law
Share

Right to Erasure of Personal Data (GDPR)
Josef Aujezdský
Partner
2020/02/03
4 minutes to read

Regulation (EU) 2016/679 of the European Parliament and of the Council, designated as GDPR (hereinafter “the Regulation”), regulates in its Article 17 the right of the data subject to erasure of his or her personal data (the so-called right to be forgotten). Given that in practice we encounter a number of queries from traders regarding this entitlement, we have decided to address it briefly in this legal circular. We thereby follow on from legal circular No. 10/2017, within which we addressed the issues of general provisions related to the exercise of rights by data subjects.

Firstly, it is necessary to mention that the right to erasure may be exercised by the data subject (for example, an employee or customer) only in specified cases established in the Regulation. The trader will be obliged to actually erase personal data particularly in those cases where the processing of personal data takes place on the basis of the data subject’s consent, whilst no other legal basis exists for the processing of such personal data. The most frequent case in practice will likely be a request for removal from a contact database for sending commercial communications. However, from a substantive perspective, this is not a change for traders, as even under the Act on Certain Information Society Services, the customer must have “a clear and distinct possibility in a simple manner, free of charge … to refuse consent to such use of his or her electronic contact even when sending each individual message, if he or she did not originally refuse such use.”

Nevertheless, as has been repeatedly stated by us, customer consent will not be the most frequent legal basis for the processing of personal data in the operation of a regular internet shop. Far more significant in practice will be the processing of personal data whose legal basis will be the performance of a contract by the trader (or negotiations for the conclusion of such a contract) or the fulfilment of the trader’s legal obligations arising from public law regulations. In the case of such processing, the internet trader will not be able and obliged to comply with the request for erasure of personal data, but naturally only on the condition that the personal data are still necessary for the purposes for which they were collected or otherwise processed. In this connection, it is also necessary to bear in mind that the general principle of so-called storage limitation contained in the provision of Article 5(1)(e) of the Regulation always applies.

For better illustration, we shall mention a practical example. The trader receives a message from a customer that he or she requires the erasure of all his or her personal data processed by such trader. In such a case, the trader should carry out the erasure of personal data processed on the basis of the customer’s consent, unless, however, he or she is also processing them on another legal basis (for example, the customer’s address may in a specific case be processed not only for the purpose of direct marketing, but also for the purpose of performance of the contract). The trader should also carry out the erasure of all those personal data of the applicant which are no longer necessary for the purposes for which they were collected or otherwise processed. However, it will not be possible to erase some personal data, particularly with regard to the fact that the purpose of their processing has not yet ceased (for example, rights under the contract concluded with the customer still exist) or for reasons that such personal data are necessary “for the establishment, exercise or defence of legal claims” of the trader. The trader should also inform the customer in this spirit.

Naturally, some technical aspects related to the right to erasure of personal data may be more complex, also in relation to back-up carried out by the trader. As was mentioned in the October circular, the time limit for erasure of personal data is conceived as “without undue delay and in any event within one month of receipt of the request. This time limit may, if necessary and having regard to the complexity and number of requests, be extended by a further two months.” These time limits should apparently provide sufficient scope for the trader to be able to comply with the request for erasure of personal data.

Josef Aujezdský, Lawyer

Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal counselling

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 02/2018 intended for members of this association.

This text was translated from Czech to English using an AI translator.

Enter

More to read

Constitutional Law and Criminal Law

Regulation on General Product Safety

2025/12/19

>
Constitutional Law and Criminal Law

Obligations of the seller in marking goods

2025/12/07

>

Mašek, Kočí, Aujezdský are members of Czech Electronic Commerce Association (APEK) and Mackrell International.
Nosko & Partners s.r.o. is Czech and Slovak member of Interlegal.

© Mašek, Kočí, Aujezdský 2003-2026. All rights reserved.