Right to be forgotten

Development of modern technologies and digitalization of private life leads to arose of situations which have their constant substratum in the digital space. Introducing of a given record to the Internet regardless of a portal and being very often joke or short-lived opinion may take effect in private, professional and even public space after many years. After all “Internet does not forget”.

Article 17 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Official Journal of the European Union 2016, no 119, p. 1 with amendments), hereinafter referred to as the GDPR is due to counteract such situations.

Article 17

Right to erasure (‘right to be forgotten’)

  1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

  1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
  2. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

This provision stipulates two categories of entitlements. The first one of these – article 17 section 1 – is right to erasure personal data. GDPR stipulates exhaustive list of situations where a subject may obtain erasure of data but owing to wide essentializing of particular prerequisites the list should be deemed as a complete. Second entitlement is right to be forgotten (article 17 section 2 of GDPR). It should be provided that right to erasure data is of primary character due to the fact that right to be forgotten appertains solely in case where subject exercises entitlement to erasure data and providing that the controller made the personal data public.[1].

Right to be forgotten is of character wider than adopted until now on the basis of European jurisprudence which basis was constituted by article 12 letter b of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Official Journal of the European Union 1995 No 281, p. 31 with amendments)[2]. Analyzed article 17 section 2 of the GDPR imposes on the data controller which is obliged to erasure personal data, additional duty to inform other controllers about the request of the subject. The actions taken by the controller within this scope should be ‘reasonable’ i.e. actions which should be possible for the controller within available technologies. These actions are due to remove from the Internet all personal data made accessible in the Internet and in other sources which are encompassed by the demand of removal.

On another note it should be supposed that violation of article 17 of GDPR may result in imposing administrative fine in the amount up to 20.000.000,00 EUR and in case of the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year depending on which amount is higher – article 83 section 5 letter b.

 

Advocate Mateusz Budziarek

 

[1] M. Czerniawski, in E. Bielak-Jomaa, D. Lubasz (ed.) RODO. Ogólne rozporządzenie o ochronie danych. Komentarz, Warsaw, Wolters Kluwer, 2018.

[2] Cf. i.a. judgment of the Court of Justice of 13th May 2014, C-131/12, ZOTSiS 2014/5/I-317.

Related Posts