The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

In detail

What is the right to erasure?

Article 17 of the GDPR gives both adults and children the right to have their personal data erased in some specified circumstances where, although the original collection and processing may have been compliant with the GDPR, continuing to hold their personal data against their wishes is not. It is sometimes known as the ‘right to be forgotten’. The right is overridden if certain compelling reasons to retain the personal data apply, despite the individual’s objections. For further detail of the circumstances in which it applies and the reasons for which it can be overridden please see our Guide to the GDPR.

What does the GDPR say about the right to erasure and children?

Recital 65 of the GDPR says that the right to erasure:

“…is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child….”

This is consistent with the general principle at Recital 38 that children merit specific protection because they may be less aware of the risks and consequences of processing their personal data, and applies regardless of whether the consent was originally given in an online or offline context.            

In addition, Article 17(1)(f) provides that one of the specific circumstances in which the right to erasure applies is when:

“the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).”

Further guidance on the child specific Article 8(1) provisions is given in What are the rules about ISS and consent?

What does this mean in practice?

If an individual wants you to erase personal data that they provided when they were a child, then you should comply with their wishes whenever you can. Especially if it seems likely that they gave their personal data without fully understanding the implications of doing so.

The GDPR seeks to provide a greater degree of control over their personal data for individuals and the right to erasure is part of this.

However, the right to erasure is not an absolute right, and it can be overridden in certain circumstances, including where it is necessary for exercising the right of freedom of expression and information. When considering whether the right to erasure should be overridden in this case, you should take into account that freedom of expression is itself a qualified right. It may be restricted if this is necessary for the protection of the rights of others. So effectively you need to balance the right to freedom of expression against the need to protect the rights of others.

In a situation where a data subject provided their data when they were a child, without fully understanding the implications of doing so, there will generally be an increased expectation of what may be considered ‘necessary’ to protect the rights of the child. So the right to erasure is more likely to prevail in this circumstance then if data was provided by an adult. This will have to be decided on a case by case basis.

There are further circumstances in which the right to erasure can be restricted. However, we do not consider these any further here as we do not think they raise any particular, child specific issues. See our Guide to the GDPR for further detail on all the circumstances in which the right to erasure does not apply.

You need to make sure that your processes for exercising the right of erasure are easy for a child to access and understand. Article 7(3) of the GDPR says that it ’shall be as easy to withdraw consent as it is to give it’. We consider that, as a matter of good practice, this general principle should also apply to any processes related to the right to erasure. So as far as possible, it should be as easy for a child to get their personal data erased as it was for them to provide it in the first place. For example, if you started processing without asking the child to provide original identity documents then it is usually disproportionate to make this a condition of erasure.

In an online context dashboards and take-down tools should be available to allow children and other users to easily delete or remove personal data.

The right to erasure does not necessarily have to be exercised by the same person as provided the original consent. If consent was originally provided by a holder of parental responsibility this does not mean that they will also have to request the erasure. If the data subject is no longer a child, or if they are now competent to exercise their rights on their own behalf then you should usually accept their request for erasure without needing to involve the parent (or holder of parental responsibility).

Similarly, if a child is competent to provide their own consent to processing and to exercise their own data protection rights you should not accept a request to erase personal data from a holder of parental responsibility without taking the wishes of the child into account.

In cases where there is a dispute between a child and their parent about whether personal data should be erased or not, or where a child wishes to have personal data erased without their parent’s knowledge, then you need to consider the level of understanding of the child and also what is in their best interests. This needs to be done on a case by case basis. Similarly in cases where there is more than one holder of parental responsibility and they do not agree about whether the personal data should be erased or not, you should take the child’s views into account when appropriate and the best interests of the child should prevail.

Further reading

The ICO has published the Delisting criteria it uses under the 1998 Act    when it receives requests for personal data that has been posted online to be delisted. These were jointly agreed by the ICO and other European data protection authorities.