Right to be Forgotten
GDPR introduces the concept of the right to be forgotten, which allows a person to request that their data be erased. This applies to all data controllers. (Every company to some extent is a data controller.)
According to Article 17, data controllers must erase personal data “without undue delay” if the processing was unlawful, the data is no longer needed, or the data subject objects to the processing. In GDPR lingo, the data subject is the person whose data has been collected, aka “the user or the customer.”
There are some exceptions (for example, it cannot supersede any law requiring an organisation to maintain certain data.
This requirement extends to any company that has made personal data public, especially if it’s online (e.g., an online forum or social media community). The data controller is required to take “reasonable steps,” defined as cost to comply and technology available, to inform any other controller who has processed the data about the data subject’s request.