Article 17 GDPR: Difference between revisions
Line 235: | Line 235: | ||
==== Obligation to erase personal data ==== | ==== Obligation to erase personal data ==== | ||
The erasure of personal data is not solely based on a request from the data subject. In accordance with Article 5 of the GDPR, and in particular the principles of lawfulness, data minimization, and storage limitation, the controller must carry out the deletion independently if one of the elements included in the list (a-f) is met. For example, in the event that the data subject revokes their consent, it would be appropriate to proceed with the deletion of all personal data associated with the unauthorized processing. The same applies to processing that has achieved its purpose and therefore no longer has a viable purpose. In this case, it would also be necessary to delete all associated data. | The erasure of personal data is not solely based on a request from the data subject. In accordance with Article 5 of the GDPR, and in particular the principles of lawfulness, data minimization, and storage limitation, the controller must carry out the deletion independently if one of the elements included in the list (a-f) is met. For example, in the event that the data subject revokes their consent, it would be appropriate to proceed with the deletion of all personal data associated with the unauthorized processing. The same applies to processing that has achieved its purpose and therefore no longer has a viable purpose. In this case, it would also be necessary to delete all associated data. However, a blind execution of this obligation leads to unacceptable results. Taking inspiration from the examples mentioned earlier, in the case of consent withdrawal, it is necessary to assess the scope of the data subject's action. If the revocation does not concern the entire processing but only a specific part, an indiscriminate erasure would not only be unadvisable but also inadmissible. The same applies when the purpose of the processing is pursued. In this circumstance, the data subject may request a restriction of processing (Article 18 GDPR) instead of deletion (Article 17(1)(a) GDPR), and a controller-initiated deletion may be deemed abusive. Based on the aforementioned considerations, meticulous scholars elaborate an obligation of the controller, based on the facilitation obligation under Article 12(2) GDPR, to evaluate the situation on a case-by-case basis and, where necessary, contact the data subject for any clarifications regarding their intentions.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin numbers 8-16 (C.H. Beck 2020, 3rd Edition).</ref> | ||
==== Erasure must be done where one of the following grounds applies ==== | |||
===== (a) Data no longer necessary for the initial purposes ===== | |||
===== (a) Data | |||
The personal data must be erased if they are no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This scenario reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR. | The personal data must be erased if they are no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This scenario reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR. | ||
Determining when a purpose no longer exists is not a straightforward matter, as it varies case by case. Fixed deadlines cannot be set to address this issue. The European Court of Justice has established that an examinee can request that their examination answers and the examiner's comments be deleted once they are no longer necessary for identification, such as when the examination process is completed and the answers and comments have lost their probative value. Similarly, applicants' data can be deleted once the selection process has ended and there is no longer any legal protection against the appointment.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 21 (C.H. Beck 2018, 2nd Edition).</ref> <blockquote><u>Example</u>: Once the electronic health card has been issued, a health insurance company no longer requires the photograph to be stored, as an example. Similarly, if there are no further labour law disputes with an employee, an employer no longer needs to store a warning letter after the termination of the employment relationship, as noted in another example. Additionally, a provider of basic security for job seekers is not required to retain a copy of the identity card after the end of the benefit period.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).</ref> </blockquote>The above is true unless the processing of personal data is ''“necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose”'' under Article 6(4) GDPR.<ref>See, ''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.</ref> Art 6(4) GDPR establishes that, in order for the controller to determine whether processing for another purpose is possible (''i.e.'' compatible with the purpose for which the personal data was initially collected), certain elements have to be taken into consideration (''inter alia'', the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards). In such case, that is to say, when "further processing" is possible, erasure of personal data can be avoided. <blockquote><u>Example</u>: XXX </blockquote> | Determining when a purpose no longer exists is not a straightforward matter, as it varies case by case. Fixed deadlines cannot be set to address this issue. The European Court of Justice has established that an examinee can request that their examination answers and the examiner's comments be deleted once they are no longer necessary for identification, such as when the examination process is completed and the answers and comments have lost their probative value. Similarly, applicants' data can be deleted once the selection process has ended and there is no longer any legal protection against the appointment.<ref>''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 21 (C.H. Beck 2018, 2nd Edition).</ref> <blockquote><u>Example</u>: Once the electronic health card has been issued, a health insurance company no longer requires the photograph to be stored, as an example. Similarly, if there are no further labour law disputes with an employee, an employer no longer needs to store a warning letter after the termination of the employment relationship, as noted in another example. Additionally, a provider of basic security for job seekers is not required to retain a copy of the identity card after the end of the benefit period.<ref>''Herbst'', in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).</ref> </blockquote>The above is true unless the processing of personal data is ''“necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose”'' under Article 6(4) GDPR.<ref>See, ''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.</ref> Art 6(4) GDPR establishes that, in order for the controller to determine whether processing for another purpose is possible (''i.e.'' compatible with the purpose for which the personal data was initially collected), certain elements have to be taken into consideration (''inter alia'', the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards). In such case, that is to say, when "further processing" is possible, erasure of personal data can be avoided. <blockquote><u>Example</u>: XXX </blockquote> | ||
=====(b) Withdrawal of | =====(b) Withdrawal of consent and no other legal basis===== | ||
When the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR or, as the case may be, Article 9(2)(a) GDPR when special categories of personal data are concerned. According to Article 7(3) GDPR, the data subject may withdraw their consent at any time. If this happens, and there is no other applicable legal ground,<ref>The provision's explicit acknowledgement of the potential for alternative legal grounds suggests that the initial processing may have relied on multiple legal bases concurrently, such as consent and another legal basis under Articles 6 or 9 GDPR. See, ''Kamann, Braun'' in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 23 (C.H. Beck 2018, 2nd Edition).</ref> the processing becomes unlawful and, in general,<ref>See, "''Obligation to erase personal data''" above.</ref> data must be erased under Article 17(1)(b) GDPR.<blockquote><u>Example</u>: XXX</blockquote> | |||
Direct marketing should be interpreted in a broad sense, and as ''Carey'' points out, this right | =====(c) Objection to processing and no overriding legitimate grounds exist===== | ||
According to this provision, a data subject may request - or a controller be required to carry out - an erasure when an objection to processing in accordance with Article 21(1) GDPR has been raised<ref>Article 21(1) establishes the right to objection based on the data subject’s particular situation, when processing is based on the legal bases in Article 6(1)(e) and (f) GDPR (processing is necessary for the performance of a task in the public interest or legitimate interest of the controller), including profiling based on these provisions.</ref> and there there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject,<ref>The data controller bears the burden of demonstrating whether the overriding legitimate grounds exist. However, the data subject must argue the reasons for its request. Furthermore, the controller would have ''“the right to revaluate the situation as its own interests for processing might still prevail and an erasure might not have to take place. This evaluation might require some time, and thus the data subject could exercise its right to restriction of processing in the meantime.''” See, ''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017).</ref> or for the establishment, exercise or defense of legal claims. In case of direct marketing,<ref>Direct marketing should be interpreted in a broad sense, and as ''Carey'' points out, this right applies not only to records of marketing communications sent to individuals but also to any personal data held for direct marketing, including data used for profiling. This includes data held for political canvassing and charitable fundraising purposes, as direct marketing encompasses any targeted communication that promotes an organization's goals and values. See, ''Carey'', Data Protection: A Practical Guide to UK and EU Law, p. 144 (Oxford University Press, 2018, 5th Edition).</ref> an objection pursuant to Article 21(2) GDPR renders any further processing for the same purpose unlawful. This prevents the controller from carrying out any further direct marketing and should bring to the erasure of any linked data from its databases. However, if the same data is used for other purposes, that processing will still be possible provided that there is another applicable legal basis. <blockquote><u>Example</u>: XXX </blockquote> | |||
=====(d) Unlawful | =====(d) Unlawful processing===== | ||
Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2 and 4. As ''Voigt and von dem Bussche'' observe, ''“this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> | Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2 and 4. As ''Voigt and von dem Bussche'' observe, ''“this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> | ||
=====(e) Compliance with a | =====(e) Compliance with a legal obligation===== | ||
This provision establishes a legal basis analogous to the legal basis for processing under Article 6(1)(c) GDPR. It contains opening clause by which legal obligations are left to the discretion of Member States Hence, additional cases which would justify the erasure of data can be introduced at a national level. | This provision establishes a legal basis analogous to the legal basis for processing under Article 6(1)(c) GDPR. It contains opening clause by which legal obligations are left to the discretion of Member States Hence, additional cases which would justify the erasure of data can be introduced at a national level. | ||
=====(f) Information | =====(f) Information society services to children===== | ||
This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). According to Article 4(25) GDPR ''“‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.”'' Recital 65 GDPR establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child. According to ''Voigt and von dem Bussche'', ''“it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> | This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). According to Article 4(25) GDPR ''“‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.”'' Recital 65 GDPR establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child. According to ''Voigt and von dem Bussche'', ''“it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref> | ||
===(2) Obligation to | ===(2) Obligation to inform other controllers ("Right to be forgotten")=== | ||
This paragraph establishes an additional obligation for controllers who have made personal data public, to take reasonable steps to inform other controllers (including employees of the controller), processors, and third parties, which are processing this data, that its erasure has been requested by a data subject. . Article 17(2) GDPR is read together with Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in ''Google Spain.''<ref>CJEU, Case C-131/12, ''Google Spain,'' 13 May 2014 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4064266 here]).</ref> | This paragraph establishes an additional obligation for controllers who have made personal data public, to take reasonable steps to inform other controllers (including employees of the controller), processors, and third parties, which are processing this data, that its erasure has been requested by a data subject. . Article 17(2) GDPR is read together with Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in ''Google Spain.''<ref>CJEU, Case C-131/12, ''Google Spain,'' 13 May 2014 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4064266 here]).</ref> | ||
Line 276: | Line 268: | ||
===(3) Exceptions=== | ===(3) Exceptions=== | ||
The exceptions here are not absolute, and a necessity test will be required. The refusal of the erasure is only allowed ''"to the extent that processing is necessary"'' for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable. | The exceptions here are not absolute, and a necessity test will be required. The refusal of the erasure is only allowed ''"to the extent that processing is necessary"'' for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable. | ||
====(a) Freedom of | ====(a) Freedom of expression and information==== | ||
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favour of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which ''"Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."'' | This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favour of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which ''"Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."'' | ||
It is important to take into consideration that according to Recital 153 GDPR, ''“in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.”'' According to ''Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”'', as well as any individual.<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).</ref> ''Voigt and von dem Bussche'' also note that ''“under this exception, an erasure of opinions should be excluded. However, the distinction between personal data and opinion can be difficult where an opinion is based on personal data. In such a case, it needs to be balanced out whether the underlying personal data is still necessary for forming an opinion. The older the personal data is, the more improbable is their necessity for forming an opinion.”''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).</ref> | It is important to take into consideration that according to Recital 153 GDPR, ''“in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.”'' According to ''Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”'', as well as any individual.<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).</ref> ''Voigt and von dem Bussche'' also note that ''“under this exception, an erasure of opinions should be excluded. However, the distinction between personal data and opinion can be difficult where an opinion is based on personal data. In such a case, it needs to be balanced out whether the underlying personal data is still necessary for forming an opinion. The older the personal data is, the more improbable is their necessity for forming an opinion.”''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).</ref> | ||
====(b) Compliance with a | ====(b) Compliance with a legal obligation, public interest, official authority==== | ||
These situations refer to the grounds of processing contained in Article 6(1)(c) and (e). A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data. | These situations refer to the grounds of processing contained in Article 6(1)(c) and (e). A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data. | ||
====(c) Public | ====(c) Public health==== | ||
This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data. | This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data. | ||
Line 292: | Line 284: | ||
According to Recital 54 GDPR, the interpretation of “public health” corresponds to Regulation (EC) No 1338/2008,[Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (available here).] which includes ''“namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”'' | According to Recital 54 GDPR, the interpretation of “public health” corresponds to Regulation (EC) No 1338/2008,[Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (available here).] which includes ''“namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”'' | ||
====(d) Archiving, | ====(d) Archiving, scientific, historical research, statistical purposes==== | ||
This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them. | This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them. | ||
====(e) Legal | ====(e) Legal claims==== | ||
This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.<blockquote><u>EDPB Guidelines:</u> on this Article there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-52019-criteria-right-be-forgotten-search-engines_en EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)]</blockquote> | This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.<blockquote><u>EDPB Guidelines:</u> on this Article there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-52019-criteria-right-be-forgotten-search-engines_en EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)]</blockquote> | ||
Revision as of 15:04, 4 May 2023
Legal Text
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
- (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- (d) the personal data have been unlawfully processed;
- (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
- (a) for exercising the right of freedom of expression and information;
- (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
- (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- (e) for the establishment, exercise or defence of legal claims.
Relevant Recitals
Commentary
Article 17 confers upon the data subject the right to have their personal data erased. Paragraph 1 establishes a standard "right to deletion" of personal data and imposes an obligation on the controller to remove the data when certain conditions are met. To enhance the effectiveness of the right to deletion, especially on the internet (Recital 66), paragraph 2 introduces the so-called "right to be forgotten" which imposes a further obligation on the controller to inform other controllers of the request to delete all links, copies or duplicates of the data, through appropriate technical and cost-effective measures. Paragraph 3 sets out the exceptions to the rules outlined in paragraphs 1 and 2.[1]
(1) Right to erasure
The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies, which in turn gives rise to a correlated obligation on the controller.[2] Often times, it also requires a balancing exercise among the different interests at stake.
Right to obtain
Article 17 of the GDPR does not contain specific provisions regarding the methods for exercising the right to erasure. These provisions can be found in Article 12, which includes the general obligation to provide information which is accurate and clear (Article 12(1) GDPR), facilitate the data subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle of freedom from costs (Article 12(5) GDPR) and the identity verification procedure in case of uncertainty (Articles 11 and 12(6) GDPR).
Erasure of personal data
The act of erasing data constitutes a type of processing as defined by Article 4(2) GDPR. The regulation does not provide a definition of "erasure". When it comes to deleting data, the controller has some discretion in choosing means and procedures. In any case, erasure must be effective.[3] Some possible methods for erasing data include physically eliminating the data by overwriting or erasing it, using mechanical or chemical methods such as shredding the paper, burning or otherwise destroying the data carrier, scratching the surface of CDs, and destroying codes or decryption devices without removing the data itself. In general, deleting a link or reference in a file system (logical deletion) typically does not result in the actual erasure of the data, but only makes it more challenging to locate. The requirements for deletion under data protection laws are evolving due to technological advancements. It is crucial to acknowledge the possibility of recovering deleted data through specialized software. The use of such software is generally expected and feasible.[4]
Deletion must be comprehensive but not in absolute terms. it therefore applies to all data and data carriers, including data stored on backup media, as well as those belonging to contractors (e.g., stored in a "cloud") or employees' private data processing devices. However, removing identical data that serves a legitimate and still valid purpose is unnecessary. In certain situations, preservation of backup copies, for instance, may also be justified due to the controller's legitimate interest. The right of erasure in the context of profiling (Article 4(4) GDPR) affects both the input data (i.e., the personal data on which a profile is based) and the output data (i.e., the profile itself).[5] The deletion obligation does not include any copies of the data made by third parties to whom the data has been disclosed. In this respect, there is an obligation to notify the erasure under Article 19 GDPR and the recipient may be subject to independent deletion obligations.
Relation with the "right to be forgotten"
The GDPR does not clearly state the relationship between the "right to erasure" and the "right to be forgotten." They are not interchangeable terms, but rather two distinct expressions of the rights of the data subject under Article 17 of the GDPR. Recital 66, paragraph 2 suggests that the "right to be forgotten" is related to the obligation under Article 17(2) to inform third parties about the erasure of personal data that has been made public. This obligation arises when the right to erasure is exercised.[6] For further information, see commentary under Article 17(2) GDPR below.
Obligation to erase personal data
The erasure of personal data is not solely based on a request from the data subject. In accordance with Article 5 of the GDPR, and in particular the principles of lawfulness, data minimization, and storage limitation, the controller must carry out the deletion independently if one of the elements included in the list (a-f) is met. For example, in the event that the data subject revokes their consent, it would be appropriate to proceed with the deletion of all personal data associated with the unauthorized processing. The same applies to processing that has achieved its purpose and therefore no longer has a viable purpose. In this case, it would also be necessary to delete all associated data. However, a blind execution of this obligation leads to unacceptable results. Taking inspiration from the examples mentioned earlier, in the case of consent withdrawal, it is necessary to assess the scope of the data subject's action. If the revocation does not concern the entire processing but only a specific part, an indiscriminate erasure would not only be unadvisable but also inadmissible. The same applies when the purpose of the processing is pursued. In this circumstance, the data subject may request a restriction of processing (Article 18 GDPR) instead of deletion (Article 17(1)(a) GDPR), and a controller-initiated deletion may be deemed abusive. Based on the aforementioned considerations, meticulous scholars elaborate an obligation of the controller, based on the facilitation obligation under Article 12(2) GDPR, to evaluate the situation on a case-by-case basis and, where necessary, contact the data subject for any clarifications regarding their intentions.[7]
Erasure must be done where one of the following grounds applies
(a) Data no longer necessary for the initial purposes
The personal data must be erased if they are no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This scenario reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR.
Determining when a purpose no longer exists is not a straightforward matter, as it varies case by case. Fixed deadlines cannot be set to address this issue. The European Court of Justice has established that an examinee can request that their examination answers and the examiner's comments be deleted once they are no longer necessary for identification, such as when the examination process is completed and the answers and comments have lost their probative value. Similarly, applicants' data can be deleted once the selection process has ended and there is no longer any legal protection against the appointment.[8]
Example: Once the electronic health card has been issued, a health insurance company no longer requires the photograph to be stored, as an example. Similarly, if there are no further labour law disputes with an employee, an employer no longer needs to store a warning letter after the termination of the employment relationship, as noted in another example. Additionally, a provider of basic security for job seekers is not required to retain a copy of the identity card after the end of the benefit period.[9]
The above is true unless the processing of personal data is “necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose” under Article 6(4) GDPR.[10] Art 6(4) GDPR establishes that, in order for the controller to determine whether processing for another purpose is possible (i.e. compatible with the purpose for which the personal data was initially collected), certain elements have to be taken into consideration (inter alia, the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards). In such case, that is to say, when "further processing" is possible, erasure of personal data can be avoided.
Example: XXX
(b) Withdrawal of consent and no other legal basis
When the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR or, as the case may be, Article 9(2)(a) GDPR when special categories of personal data are concerned. According to Article 7(3) GDPR, the data subject may withdraw their consent at any time. If this happens, and there is no other applicable legal ground,[11] the processing becomes unlawful and, in general,[12] data must be erased under Article 17(1)(b) GDPR.
Example: XXX
(c) Objection to processing and no overriding legitimate grounds exist
According to this provision, a data subject may request - or a controller be required to carry out - an erasure when an objection to processing in accordance with Article 21(1) GDPR has been raised[13] and there there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject,[14] or for the establishment, exercise or defense of legal claims. In case of direct marketing,[15] an objection pursuant to Article 21(2) GDPR renders any further processing for the same purpose unlawful. This prevents the controller from carrying out any further direct marketing and should bring to the erasure of any linked data from its databases. However, if the same data is used for other purposes, that processing will still be possible provided that there is another applicable legal basis.
Example: XXX
(d) Unlawful processing
Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2 and 4. As Voigt and von dem Bussche observe, “this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.[16]
(e) Compliance with a legal obligation
This provision establishes a legal basis analogous to the legal basis for processing under Article 6(1)(c) GDPR. It contains opening clause by which legal obligations are left to the discretion of Member States Hence, additional cases which would justify the erasure of data can be introduced at a national level.
(f) Information society services to children
This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). According to Article 4(25) GDPR “‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.” Recital 65 GDPR establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child. According to Voigt and von dem Bussche, “it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether.[17]
(2) Obligation to inform other controllers ("Right to be forgotten")
This paragraph establishes an additional obligation for controllers who have made personal data public, to take reasonable steps to inform other controllers (including employees of the controller), processors, and third parties, which are processing this data, that its erasure has been requested by a data subject. . Article 17(2) GDPR is read together with Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in Google Spain.[18]
Rucker and Kugler note that to be able to comply with the requirements set out in Article 19 GDPR, “controllers should document and keep track of the organisations they transfer personal data to and the categories of personal data transferred.”[19] In this regard, Voigt and von dem Bussche suggest the implementation of technical and organisational measures to be able to record the recipients of personal data, including records of processing activities, as well as Data Protection Management Systems where feasible.[20]
This obligation in general has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps", although there is also the view that the constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. In fact, in Kranenborg’s opinion, “this obligation has actually been softened in comparison with the Commission’s initial proposal, according to which the controller was ‘considered responsible’ for a publication made by a third party if they had ‘authorised’ it, and had to take ‘all’ reasonable steps to inform those third parties of the erasure request.”[21] It is not entirely clear whether the reasonableness of these measures depends on the controller’s subjective situation, or whether objective criteria should be used. According to Voigt and von dem Bussche, “the former should be the case, as otherwise the obligation would be too much of a burden for micro, small and medium-sized enterprises whose interests have received special consideration under the GDPR.”[22]
Furthermore, as Kelleher and Murray highlight, “it seems that this amounts only to an obligation to inform other controllers that such links should be erased, the GDPR does not provide that controllers have to require such erasure and does not provide a specific mechanism by which controllers could require such erasure.”[23] Additionally, it is also important to keep in mind that third parties might be in a different position when processing the data which they have obtained through the controller. In this sense Carey notes, that “it is also entirely possible that a third party controller that has obtained personal data as a result of their having been made public by another controller will process those data on the basis of processing grounds that do not allow for erasure requests, or will be able to rely on exemptions to the right of erasure that are not available to the controller that made the data public.”[24]
Additionally, it is important to mention that according to the EDPB, this obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference. In addition, "it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives.”[25] Moreover, according to the Board, it is planning to issue specific Guidelines on Article 7(2) GDPR in the future.
(3) Exceptions
The exceptions here are not absolute, and a necessity test will be required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable.
(a) Freedom of expression and information
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favour of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."
It is important to take into consideration that according to Recital 153 GDPR, “in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.” According to Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”, as well as any individual.[26] Voigt and von dem Bussche also note that “under this exception, an erasure of opinions should be excluded. However, the distinction between personal data and opinion can be difficult where an opinion is based on personal data. In such a case, it needs to be balanced out whether the underlying personal data is still necessary for forming an opinion. The older the personal data is, the more improbable is their necessity for forming an opinion.”[27]
(b) Compliance with a legal obligation, public interest, official authority
These situations refer to the grounds of processing contained in Article 6(1)(c) and (e). A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data.
(c) Public health
This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data.
Specifically, Article 9(2)(h) GDPR which refers to a broad exception based on processing necessity for the provision of health and social care. According to Georgieva and Kuner, the latter should be interpreted broadly to include assistance granted by social security authorities.[28] Besides health and social care services, it also includes other related purposes, such as the assessment of employee working capacities or the management of health or social care systems. For this exception to apply, the sensitive data must be processed by a professional subject to the obligation of professional secrecy, as established by an explicit complementary provision in Article 9(3) GDPR, also referenced in this section.
The other provision mentioned is Article 9(2)(i) GDPR, which is an exception for processing based on public interest considerations in the area of public health. It gives some examples, such as protection against serious cross-border threats, or ensuring adequate standards for health products and devices.
According to Recital 54 GDPR, the interpretation of “public health” corresponds to Regulation (EC) No 1338/2008,[Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (available here).] which includes “namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”
(d) Archiving, scientific, historical research, statistical purposes
This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them.
(e) Legal claims
This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.
EDPB Guidelines: on this Article there are EDPB Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)
Decisions
→ You can find all related decisions in Category:Article 17 GDPR
References
- ↑ In the below commentary we will use the definition put forward by some authors according to which the "right to erasure" is made of two different elements, the classic "right of deletion" under paragraph 1 and the "right to be forgotten" (in the strict sense) under paragraph 2. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 1-3 (C.H. Beck 2018, 2nd Edition).
- ↑ As Voigt and von dem Bussche note, “the right of the data subject shall only help to enforce the controller’s obligation to erase personal data that would exist anyway under any of the grounds of Art. 17 Sec. 1 GDPR.” See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
- ↑ Deletion must be effective but does not have to be irreversible. It is adequate that the processing and use of the data in question is no longer feasible in its previous form. The fact that at some point a reconstruction of the data (such as restoring a shredded paper) using technical aids (such as cache and metadata or other programs) becomes possible, does not invalidate the effectiveness of the deletion. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
- ↑ Dix, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 17 GDPR, margin numbers 5 (NOMOS 2019).
- ↑ See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
- ↑ Nolte, Werkmeister in Gola, DS-GVO, Article 17 GDPR, margin number 1 (C.H. Beck2018, 2nd ed.).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin numbers 8-16 (C.H. Beck 2020, 3rd Edition).
- ↑ Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 21 (C.H. Beck 2018, 2nd Edition).
- ↑ Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).
- ↑ See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.
- ↑ The provision's explicit acknowledgement of the potential for alternative legal grounds suggests that the initial processing may have relied on multiple legal bases concurrently, such as consent and another legal basis under Articles 6 or 9 GDPR. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 23 (C.H. Beck 2018, 2nd Edition).
- ↑ See, "Obligation to erase personal data" above.
- ↑ Article 21(1) establishes the right to objection based on the data subject’s particular situation, when processing is based on the legal bases in Article 6(1)(e) and (f) GDPR (processing is necessary for the performance of a task in the public interest or legitimate interest of the controller), including profiling based on these provisions.
- ↑ The data controller bears the burden of demonstrating whether the overriding legitimate grounds exist. However, the data subject must argue the reasons for its request. Furthermore, the controller would have “the right to revaluate the situation as its own interests for processing might still prevail and an erasure might not have to take place. This evaluation might require some time, and thus the data subject could exercise its right to restriction of processing in the meantime.” See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017).
- ↑ Direct marketing should be interpreted in a broad sense, and as Carey points out, this right applies not only to records of marketing communications sent to individuals but also to any personal data held for direct marketing, including data used for profiling. This includes data held for political canvassing and charitable fundraising purposes, as direct marketing encompasses any targeted communication that promotes an organization's goals and values. See, Carey, Data Protection: A Practical Guide to UK and EU Law, p. 144 (Oxford University Press, 2018, 5th Edition).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
- ↑ CJEU, Case C-131/12, Google Spain, 13 May 2014 (available here).
- ↑ Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 142 (C.H. Beck 2018).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
- ↑ Kranenborg, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 483 (Oxford University Press 2020).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
- ↑ Kelleher, Murray, EU Data Protection Law, p. 214 (Bloomsbury Professional 2018).
- ↑ Carey, Data Protection: A Practical Guide to UK and EU Law, p. 146 (Oxford University Press 2018. 5th Edition).
- ↑ EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 6 (available here).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
- ↑ Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).
- ↑ Georgieva, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 380 (Oxford University Press 2020).