#AtoZofGDPR - E is for Erasure

  1. Home
  2. Blog
  3. Single Post
Written by Stuart Anderson in #AtoZofGDPR on October 29, 2018

#AtoZofGDPR - E is for Erasure

Article 17 of the GDPR deals with the right to Erasure, commonly known as the ‘Right to be Forgotten’. This right was brought into public prominence by the case Google Spain SL, Google Inc vs Agencia Española de Protección de Datos, Mario Costeja González (2014)

Sr. Gonzalez argued that an auction liting for his repossessed home, viewable on Google’s search results infringed his privacy rights.

Sr. Gonzalez requested that the Newspaper which listed the property be required to amend or remove the pages in question so that the personal data belonging to him no longer appeared. In addition, he also requested that Google be required to remove the personal data relating to him from its search results.

The basis for the request for removal was that the repossession proceedings against Sr Gonzalez had been resolved for some years and hence any reference to these proceedings was irrelevant.

The Spanish court referred the case to the Court of Justice of the European Union asking:

  • (a) whether the EU’s 1995 Data Protection Directive applied to search engines such as Google;
  • (b) whether EU law (the Directive) applied to Google Spain, given that the company’s data processing server was in the United States;
  • (c) whether an individual has the right to request that his or her personal data be removed from accessibility via a search engine (the ‘right to be forgotten’).

In its ruling of 13 May 20141 the EU Court said :

  • a) On the territoriality of EU rules : Even if the physical server of a company processing data is located outside Europe, EU rules apply to search engine operators if they have a branch or a subsidiary in a Member State;
  • b) On the applicability of EU data protection rules to a search engine : Search engines are controllers of personal data. Google can therefore not escape its responsibilities before European law when handling personal data by saying it is a search engine. EU data protection law applies and so does the right to be forgotten.
  • c) On the “Right to be Forgotten” : Individuals have the right - under certain conditions - to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing (para 93 of the ruling). The court found that in this particular case the interference with a person’s right to data protection could not be justified merely by the economic interest of the search engine. At the same time, the Court explicitly clarified that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media (para 85 of the ruling). A case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information The role the person requesting the deletion plays in public life might also be relevant.
So, in practical terms, there are certain things that need to be considered when you receive a request for the Right to be Forgotten.

This right is NOT absolute. Data can only be erased if:

  • The personal data is no longer necessary for the purpose which it was originally collected or processed;
  • You are relying on consent as your lawful basis for holding the data, and the individual withdraws their consent;
  • You are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
  • You are processing the personal data for direct marketing purposes and the individual objects to that processing;
  • You have processed the personal data unlawfully (ie in breach of the lawfulness requirement of the 1st principle of GDPR);
  • You have to delete the data to comply with a legal obligation; or
  • You have processed the personal data to offer information society services to a child.
Organisations can refuse to comply with a Right to be Forgotten request if:
  • The processing is protected by the right of freedom of expression
  • Processing the data is necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
  • The data is for health purposes in the public interest.
  • The data is being used for archiving purposes in the public interest, scientific or historical research, or statistical purposes
  • The processing is necessary to exercise or defend legal claims