HDPA (Greece) - 12/2024: Difference between revisions

From GDPRhub
 
(8 intermediate revisions by 3 users not shown)
Line 11: Line 11:


|Original_Source_Name_1=HDPA
|Original_Source_Name_1=HDPA
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-04/12_2024%2520anonym%2520final.pdf
|Original_Source_Link_1=https://www.dpa.gr/sites/default/files/2024-04/12_2024%20anonym%20final.pdf
|Original_Source_Language_1=Greek
|Original_Source_Language_1=Greek
|Original_Source_Language__Code_1=EL
|Original_Source_Language__Code_1=EL
Line 63: Line 63:
}}
}}


The DPA held that the natural person's right to erasure must be satisfied and instructed Google to proceed immediately with the removal of several links that appear as search results with the full name of the data subject.
The DPA ordered Google to deindex some URLs relating to the criminal conviction of a data subject's relative, which appeared as search results when the full name of the data subject was typed. However, it did not require Google to delete third party blog posts on a blog platform that it hosted.


== English Summary ==
==English Summary==


=== Facts ===
===Facts===
The data subject submitted a data erasure request to Google LLC (the controller) on 7 September 2021 requesting the removal of several search results from the controller's search engine that were produced with his full name search. The results in question link to posts where his name had been linked to a criminal conviction, to which he contends he had no involvement. The data subject informed the controller, along with a plenary court ruling to prove he had no connection with the acts for which his relative was convicted and that his name had been wrongly linked to the criminal conviction. Additionally, the data subject requested the controller remove the 3rd-party user-created blog posts, for which the data subject believed Google was the controller as the owner of the blog hosting platform.
The data subject submitted a data erasure request to Google LLC (the controller) on 7 September 2021 requesting the removal of several search results from the controller's search engine that were produced with his full name search. The results linked pages where the data subject's name had been linked to a criminal conviction of a relative, which the data subject contended he had no involvement with. The data subject informed the controller, attaching a plenary court ruling to prove he had no connection with the acts for which his relative was convicted, that his name had been wrongly linked to the criminal conviction. Additionally, the data subject requested the controller to remove third party blog posts on Blogger, which the data subject believed Google was the controller of as the owner of the blog-hosting platform.


The controller had selectively removed certain links while retaining others, citing a legitimate public interest in having access to the information that concerned criminal offences, and, therefore, the deletion of the relevant links was not permissible. According to the data controller, this decision aligned with the criteria outlined in the Guidelines of the Article 29 Working Party. Additionally, the controller concludes that the data is related to professional activities of the data subject, specifically concerning alleged offences and involvement in scandals related to companies. The controller also asserts that the Prosecutor's Order produced by the data subject was not related to the aforementioned information, nor does it prove that the information was inaccurate or outdated.  
The controller selectively removed certain links while retaining others, citing a legitimate public interest in having access to the information that concerned criminal offences, and arguing that deletion of the relevant links was therefore not permissible. According to the controller, this decision aligned with the criteria outlined in the Guidelines of the Article 29 Working Party. Additionally, the controller argued that the data was related to professional activities of the data subject, specifically concerning alleged offences and involvement in scandals related to companies. The controller also asserted that the document produced by the data subject was not related to the aforementioned information and did not prove that the information was inaccurate or outdated.  


Finally, regarding the data on Blogger for which the data subject had requested removal, the company states that the service is provided by Google Ireland Ltd., a company based in Ireland, but neither Google LLC nor Google Ireland are responsible for the personal data that users of the service may post using the Blogger service. Google Ireland is the hosting provider for the data collected on the service within the meaning of Article 14 of European Directive 2000/31/EC. Additionally, the controller refers to the past complaint No. 3672/17-12-2013 of the Italian Supreme Court of Appeal, interpreting and applying the E-Commerce Directive, and also Article 14 par. 1 of Presidential Decree 131/2003. Based on these interpretations of the law, the company believes that since it is not the data controller for those blog posts, it had no such obligation, and the data subject’s request lacks merit that the company should also remove the corresponding posts from the Blogger platform and inform the persons responsible for the blog posts to do the same.
Finally, regarding the blogs which the data subject had requested removal of, the company stated that the service was provided by Google Ireland Ltd., a company based in Ireland, but that neither Google LLC nor Google Ireland were responsible for the personal data that users may post using the Blogger service. In particular, the controller argued that Google Ireland is the hosting provider for the data collected on the service within the meaning of Article 14 of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32000L0031 European Directive 2000/31/EC]. Additionally, the controller referred to Article 14 par. 1 of [https://www.wipo.int/wipolex/en/text/493716 Presidential Decree 131/2003], which notes that hosting service providers do not have a general obligation to monitor the information they transmit or store. Based on these interpretations of the law, the company believed that since it was not the data controller for those blog posts, it had no obligation to remove the corresponding posts from the Blogger platform or to inform the persons responsible for the blog posts to do the same.


=== Holding ===
===Holding===
The Hellenic DPA noted that the search engine provider that receives a deletion request based on the particular situation of the data subject must delete the personal data in accordance with [[Article 17 GDPR|Article 17(1)(c) GDPR]] unless it is able to demonstrate that there are "compelling and legitimate reasons" for the inclusion of the specific search result, which in combination with [[Article 21 GDPR|Article 21(1) GDPR]] constitute "compelling and legitimate reasons." Additionally, in accordance with the case law of the Court of Justice of the European Union C-136/17, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,The Hellenic DPA noted that the links referred to in the case contain publications from the years 2008, 2011, and 2012. The information in question is considered outdated, as it is older than ten (10) years and furthermore concerns issues that are no longer of interest to the readership, so that the consideration of others is omitted as a as a criteria for their deletion. The Authority unanimously decides that the controller, should be given the order to comply with the data ’subject’s erasure request to remove the links on the search engine.
The Hellenic DPA (HDPA) noted that a search engine provider that receives a deletion request based on the particular situation of the data subject must delete the personal data in accordance with [[Article 17 GDPR|Article 17(1)(c) GDPR]] unless it is able to demonstrate that there are "compelling and legitimate reasons" overriding the interests, rights and freedoms of the data subject for the inclusion of the specific search result, pursuant to [[Article 21 GDPR|Article 21(1) GDPR]]. In accordance with the case law of the CJEU in case C-136/17, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.”  


For the additional request of the data subject regarding the erasure of 3rd party blog posts on the Google platform, the DPA noted that the Blogger online service is a hosting service that enables its users to create personalised blogs with content of their choice, edit, and delete that content. In which case, it does not appear that the company (Google LLC) is responsible for the posts of third parties contained in the Blogger service. According to Guidelines 5/2019 of the ESPB, "it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet." Based on that the HDPA considered, the second request should be rejected, for which the company was not the controller.  
The links referred to in this case contained publications from the years 2008, 2011, and 2012. The HDPA considered that the information in question was outdated, as it is older than ten years. Furthermore, the information concerned issues that were no longer of interest to the readers. The HDPA unanimously decided that the controller should be given the order to comply with the data ’subject’s erasure request to remove the links on the search engine.


For those reasons, the HDPA ordered the controller (Google LLC) to immediately proceed with the abolition and deletion of the links in the case, which appeared as search results with the complainant's first and last name in the Google search engine, and rejected the complainant's request to delete the articles that concern him and were hosted on Google blogging platform.
With regard to the additional request of the data subject on the erasure of third party blog posts, the HDPA noted that the Blogger online service is a hosting service that enables its users to create personalised blogs with content of their choice and permits user to edit and delete that content. Given these circumstances, it did not appear to the HDPA that the controller was responsible for the posts of third parties contained in the Blogger service. The HDPA cited [https://www.edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf Guidelines 5/2019 of the EDPB], stating search engine providers who have received a delisting request are not required to inform the third party which made public that information on the internet. The HDPA thus determined that the second request should be rejected, since Google was not the controller.
 
For these reasons, the HDPA ordered the controller to immediately proceed with the deletion of the links which appeared as search results with the complainant's first and last name in the Google search engine, and rejected the complainant's request to delete the posts that concern him and were hosted on Google blogging platform.
 
==Comment==
Relevant cases: [[HDPA (Greece) - 11/2024]], [[HDPA (Greece) - 15/2024]]
 
Please find relevant provisions of laws and texts cited in this case below:


== Comment ==
'''Article 14 - Presidential Decree 131/2003 - Absence of a general control obligation'''<blockquote>1. Service providers shall not have, for the provision of the services referred to in Articles 11, 12 and 13 of this Directive, a general obligation to monitor the information they transmit or store, nor a general obligation to actively seek facts or circumstances indicating that unlawful activities are involved.
'''Article 14 - Presidential Decree 131/2003 - Absence of a general control obligation'''<blockquote>1. Service providers shall not have, for the provision of the services referred to in Articles 11, 12 and 13 of this Directive, a general obligation to monitor the information they transmit or store, nor a general obligation to actively seek facts or circumstances indicating that unlawful activities are involved.


Line 90: Line 96:
27. The Right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting as under Article 17.1 GDPR.
27. The Right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting as under Article 17.1 GDPR.


30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1). As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data, pursuant to Article 17.1.c GDPR, unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result, which read in conjunction with Article 21.1 are “compelling legitimate grounds (...) which override the interests, rights and freedoms of the data subject”. The search engine provider can establish any “overriding legitimate grounds”, including any exemption provided for under Article 17.3 GDPR. Nonetheless, if the search engine provider fails to demonstrate the existence of overriding legitimate grounds, the data subject is entitled to obtain the delisting pursuant to Article 17.1.c GDPR. As a matter of fact, delisting requests now imply to make the balance between the reasons related to the particular situation of the data subject and the compelling legitimate grounds of the search engine provider. The balance between the protection of privacy and the interests of Internet users in accessing to the information as ruled by the CJEU in the Costeja judgement can be relevant to conduct such assessment, as well as the balance operated by the European Court of Human Rights (ECHR) in press matters.</blockquote>
30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1). As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data, pursuant to Article 17.1.c GDPR, unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result, which read in conjunction with Article 21.1 are “compelling legitimate grounds (...) which override the interests, rights and freedoms of the data subject”. The search engine provider can establish any “overriding legitimate grounds”, including any exemption provided for under Article 17.3 GDPR. Nonetheless, if the search engine provider fails to demonstrate the existence of overriding legitimate grounds, the data subject is entitled to obtain the delisting pursuant to Article 17.1.c GDPR. As a matter of fact, delisting requests now imply to make the balance between the reasons related to the particular situation of the data subject and the compelling legitimate grounds of the search engine provider. The balance between the protection of privacy and the interests of Internet users in accessing to the information as ruled by the CJEU in the Costeja judgement can be relevant to conduct such assessment, as well as the balance operated by the European Court of Human Rights (ECHR) in press matters.</blockquote>'''DIRECTIVE 2000/31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2000'''
 
Article 14 - Hosting: <blockquote>1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or aware- ness, acts expeditiously to remove or to disable access to the information.
 
2. service is acting under the authority or the control of the provider. Paragraph 1 shall not apply when the recipient of the
 
3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.</blockquote>


== Further Resources ==
==Further Resources==
''Share blogs or news articles here!''
''Share blogs or news articles here!''


== English Machine Translation of the Decision ==
==English Machine Translation of the Decision==
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.



Latest revision as of 09:26, 14 August 2024

HDPA - 12/2024
LogoGR.jpg
Authority: HDPA (Greece)
Jurisdiction: Greece
Relevant Law: Article 17 GDPR
Article 17(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 07.09.2021
Decided: 29.02.2024
Published: 08.04.2024
Fine: n/a
Parties: Google LLC.
National Case Number/Name: 12/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Greek
Original Source: HDPA (in EL)
Initial Contributor: inder-kahlon

The DPA ordered Google to deindex some URLs relating to the criminal conviction of a data subject's relative, which appeared as search results when the full name of the data subject was typed. However, it did not require Google to delete third party blog posts on a blog platform that it hosted.

English Summary

Facts

The data subject submitted a data erasure request to Google LLC (the controller) on 7 September 2021 requesting the removal of several search results from the controller's search engine that were produced with his full name search. The results linked pages where the data subject's name had been linked to a criminal conviction of a relative, which the data subject contended he had no involvement with. The data subject informed the controller, attaching a plenary court ruling to prove he had no connection with the acts for which his relative was convicted, that his name had been wrongly linked to the criminal conviction. Additionally, the data subject requested the controller to remove third party blog posts on Blogger, which the data subject believed Google was the controller of as the owner of the blog-hosting platform.

The controller selectively removed certain links while retaining others, citing a legitimate public interest in having access to the information that concerned criminal offences, and arguing that deletion of the relevant links was therefore not permissible. According to the controller, this decision aligned with the criteria outlined in the Guidelines of the Article 29 Working Party. Additionally, the controller argued that the data was related to professional activities of the data subject, specifically concerning alleged offences and involvement in scandals related to companies. The controller also asserted that the document produced by the data subject was not related to the aforementioned information and did not prove that the information was inaccurate or outdated.

Finally, regarding the blogs which the data subject had requested removal of, the company stated that the service was provided by Google Ireland Ltd., a company based in Ireland, but that neither Google LLC nor Google Ireland were responsible for the personal data that users may post using the Blogger service. In particular, the controller argued that Google Ireland is the hosting provider for the data collected on the service within the meaning of Article 14 of European Directive 2000/31/EC. Additionally, the controller referred to Article 14 par. 1 of Presidential Decree 131/2003, which notes that hosting service providers do not have a general obligation to monitor the information they transmit or store. Based on these interpretations of the law, the company believed that since it was not the data controller for those blog posts, it had no obligation to remove the corresponding posts from the Blogger platform or to inform the persons responsible for the blog posts to do the same.

Holding

The Hellenic DPA (HDPA) noted that a search engine provider that receives a deletion request based on the particular situation of the data subject must delete the personal data in accordance with Article 17(1)(c) GDPR unless it is able to demonstrate that there are "compelling and legitimate reasons" overriding the interests, rights and freedoms of the data subject for the inclusion of the specific search result, pursuant to Article 21(1) GDPR. In accordance with the case law of the CJEU in case C-136/17, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person.”

The links referred to in this case contained publications from the years 2008, 2011, and 2012. The HDPA considered that the information in question was outdated, as it is older than ten years. Furthermore, the information concerned issues that were no longer of interest to the readers. The HDPA unanimously decided that the controller should be given the order to comply with the data ’subject’s erasure request to remove the links on the search engine.

With regard to the additional request of the data subject on the erasure of third party blog posts, the HDPA noted that the Blogger online service is a hosting service that enables its users to create personalised blogs with content of their choice and permits user to edit and delete that content. Given these circumstances, it did not appear to the HDPA that the controller was responsible for the posts of third parties contained in the Blogger service. The HDPA cited Guidelines 5/2019 of the EDPB, stating search engine providers who have received a delisting request are not required to inform the third party which made public that information on the internet. The HDPA thus determined that the second request should be rejected, since Google was not the controller.

For these reasons, the HDPA ordered the controller to immediately proceed with the deletion of the links which appeared as search results with the complainant's first and last name in the Google search engine, and rejected the complainant's request to delete the posts that concern him and were hosted on Google blogging platform.

Comment

Relevant cases: HDPA (Greece) - 11/2024, HDPA (Greece) - 15/2024

Please find relevant provisions of laws and texts cited in this case below:

Article 14 - Presidential Decree 131/2003 - Absence of a general control obligation

1. Service providers shall not have, for the provision of the services referred to in Articles 11, 12 and 13 of this Directive, a general obligation to monitor the information they transmit or store, nor a general obligation to actively seek facts or circumstances indicating that unlawful activities are involved.

2. Without prejudice to the provisions on the protection of privacy and personal data, information society service providers shall be obliged to inform the competent public authorities without delay of any suspicion of the provision of unlawful information or activities by recipients of their services, and to communicate to the competent authorities, at their request, information which facilitates the identification of recipients of their services with whom they have storage agreements.

EDPB: Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)

19. This provision enables a data subject to request the delisting of personal information concerning him or her that have been made accessible for longer than it is necessary for the search engine provider’s processing. Yet, this processing is notably carried out for the purposes of making information more easily accessible for internet users. Within the context of the Right to request delisting, the balance between the protection of privacy and the interests of Internet users in accessing the information must be undertaken. In particular, it must be assessed whether or not, over the course of time, the personal data have become out-of-date or have not been updated.

27. The Right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting as under Article 17.1 GDPR.

30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1). As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data, pursuant to Article 17.1.c GDPR, unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result, which read in conjunction with Article 21.1 are “compelling legitimate grounds (...) which override the interests, rights and freedoms of the data subject”. The search engine provider can establish any “overriding legitimate grounds”, including any exemption provided for under Article 17.3 GDPR. Nonetheless, if the search engine provider fails to demonstrate the existence of overriding legitimate grounds, the data subject is entitled to obtain the delisting pursuant to Article 17.1.c GDPR. As a matter of fact, delisting requests now imply to make the balance between the reasons related to the particular situation of the data subject and the compelling legitimate grounds of the search engine provider. The balance between the protection of privacy and the interests of Internet users in accessing to the information as ruled by the CJEU in the Costeja judgement can be relevant to conduct such assessment, as well as the balance operated by the European Court of Human Rights (ECHR) in press matters.

DIRECTIVE 2000/31/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 8 June 2000 Article 14 - Hosting:

1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that: (a) the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) the provider, upon obtaining such knowledge or aware- ness, acts expeditiously to remove or to disable access to the information.

2. service is acting under the authority or the control of the provider. Paragraph 1 shall not apply when the recipient of the

3. This Article shall not affect the possibility for a court or administrative authority, in accordance with Member States’ legal systems, of requiring the service provider to terminate or prevent an infringement, nor does it affect the possibility for Member States of establishing procedures governing the removal or disabling of access to information.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 29-02-2024 
Prot. No.: 682 
DECISION 12/2024 

The Personal Data Protection Authority (hereinafter "Authority") met at the invitation of its President in a meeting on Tuesday 13-062023 at 10.00, in order to consider the case referred to in the present history. The President of the Authority, Konstantinos Menudakos, the regular members Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, Charalambos Anthopoulos, Christos Kalloniatis, AikateriniIliadou and Grigorios Tsolias were present, as rapporteur. Present, without the right to vote, were Stefania Plota, specialist scientist - lawyer, as assistant rapporteur and Irini Papageorgopoulou, employee of the administrative affairs department, as secretary. 

The Authority took into account the following: 

With the complaint No. G/EIS/5612/07-09-2021, A (hereinafter "complainant") appealed to the Authority against the company Google LLC (hereinafter "Google" or "company"), for failure to satisfy the right to deletion (rightful oblivion) of results appearing in the Google search engine based on his name. Specifically, the complainant has informed the company that there is a ... Order of Ms. Prosecutor Plemmeleiodiki ..., by which it was judged that he has nothing to do with the acts for which his relative was convicted -...- and his name has been wrongly linked in online posts with this relative and the his criminal conviction. The complainant states that he has submitted requests to the company on …, …, … and …, exercising the right to be forgotten and requesting the deletion of links from the company's search results based on his first and last name, as well as from the X platform, which, as he states , belongs to the complained company and that, although four (4) specific posts were deleted from the Google search engine, the corresponding posts were not also deleted from the mentioned platform. According to the complainant's complaint to the company's Data Protection Officer, the company's justification for not deleting the following links, contained in his request for deletion, was that they concern "public life", while the complainant claims that they include data against him, as, while he is accused of committing criminal offences, none of the posts mentions that the relevant indictment was filed and that no criminal prosecution is pending against the complainant for the cases listed in the following links: 1. ... 2 .. .. 3. .. 4. . reason, for which he has not received a response from the company, as he states: 8. ... 9. ... 10. ... 11. ... 12. ... The authority, in the context of examining the above complaint, called the companies Google LLC, as the operator of the Google search engine, and Google Hellas with the no. prot. C/EXE/2810/07-12-2021 document, to provide opinions on the accused. The company Google LLC, in response to the above document, informed the Authority with no. prot. C/EIS/292/14-012022 document that the complainant submitted through an online form his requests with reference number …, …, …, …, …, …, … and …, requesting the removal from the search results of search engine Google token the name of the links (URLs) mentioned in the above requests invoking the right to be forgotten. Google responded to the complainant with, among other things, the following: “[...] It appears that the information you want Google to remove is related to criminal offenses. We do not have any information or documents confirming that the specific criminal prosecutions listed in these URLs were resolved in your favor. Otherwise, if you were convicted of this crime, we do not have any information or documents that confirm the length of the sentence and/or whether other conditions related to the decision have passed. Without this confirmation, we are unable to fully assess your request to remove these URLs. Therefore, the URLs are currently not removed, because based on the information provided, they do not appear to be inaccurate, out of date or incomplete. However, if you wish to provide this or other supporting documentation that could help us evaluate your request, we may reevaluate it depending on the documentation we receive. You can send the takedown request directly to the webmaster of the website [...]'. The company pointed out in its response that the evaluation of the complainant's requests in application of the right to be forgotten comes to the conclusion that the deletion of the disputed links is not allowed in the present case for the following reasons: the right to be forgotten, as regulated by article 17 of the Regulation (EU) 2016/679, has been identified by virtue of the Costeja decision and the Guidelines of the Article 29 Working Group, as the right of a person to stop the information related to his person from being linked to his name and surname through the list of results, which follows search carried out on the basis of his name, when, at the time in question, the information "is inappropriate, is not or has ceased to be relevant to the relevant issue or is excessive in relation to the stated purposes or to the time that has passed » but in some cases a fair balance must be sought in particular between the legitimate interest of potentially interested internet users to access this information and the fundamental rights of the data subject under Articles 7 and 8 of the Charter. The company highlights the criteria set as questions in the OE Guidelines of Article 29, i.e. "What role does the subject play in public life", "Do the data relate to the professional life of the subject", "Are the data related to the professional life of the person excessively . Is the data subject still active in the same occupation", "Is the data accurate", "the data relate to criminal offences". The company concludes that in the present case, the content of the links included in the complainant's requests refers exclusively to information related to his professional activity (the complainant is a publisher and entrepreneur) and indeed to his alleged involvement in related, possibly criminal, court cases. In particular, the disputed publications refer to the offense ... alleged to have been committed by the complainant in relation to the companies ..., ... and ..., his alleged involvement in the scandal in ... Y, his alleged attempt to "silence" ... F, his alleged omissions to ..., as well as complaints that have been submitted ... about his businesses. According to the company, the complainant does not invoke, nor prove in any way the inaccuracy of the disputed information, while the Prosecutor's Order submitted by him is in no way related to the above-mentioned information, nor does he prove that it is inaccurate or outdated, while the content of the disputed links is recent and up-to-date, as in many cases it concerns publications of this year... In view of the above, there is, according to the company, a justified interest of the public to have access to the information in question and, therefore, the deletion of the relevant links is not permissible, based on the criteria set by the "Working Group Guidelines Article 29". Finally, the company stated that, because the following links (URLs) lead users to web pages whose content is not available, upon notification by the complainant, it will take the necessary actions to delete them from the list of search results displayed on the basis of his first and last name: i. ... ii. … iii. … iv. ...v. ...vi. ... vii. ... Following the examination of the elements of the file, the Authority with no. prot.G/EX/3007/23-11-2022 and G/EX/3005/23-11-2022 documents invited the above-mentioned companies and the complainant respectively, as legally represented, to attend, via video conference, the meeting of the Plenary of the Authority on 29-11-2022, in order to discuss the complaint in question. At the above meeting, the submitted request for postponement of the complainant's attorney was discussed, which was accepted by the Plenary and 10-01-2023 was set as a new date for the Plenary meeting to discuss the complaint in question. At this meeting, the attorney of the complainant Vasilios Sotiropoulos (AMDS ...) appeared and developed their opinions, and on behalf of Google LLC the attorneys of Ioannis-Dionysios Filiotis (AMDS ...), Chariklia Daouti (AMDS ...) and Evangelia Tsirigoti (AMDS ...) . Before the end of the meeting, the attorney of the complainant left and subsequently the complainant and the company submitted the no. prot. G/EIS/660/27-012023 and G/EIS/702/30-01-2023 memoranda, respectively, within the relevant deadline set by the President during the meeting. The complainant in the post-discussion memorandum submitted to the Authority stated that the controller accepted some deletion requests and actually removed the links from the Google search engine, while refusing to delete others. In addition, he stated that the controller refused to delete the content of the of personal data in any of these posts, the content was hosted by platform X blogs, which also belongs to Google, i.e. they were removed as search results, but remained as content on the blogs of the same editor, while he should have also informed platform X about the deletion of due to data, and this request was never answered by the controller.  The complainant stated that of all the links, for which he has requested the controller to be deleted as results in the Google search engine based on his name, the following still remain as search results: 1. … 2. … 3. … 4. … 5. … 6. … The company, with the memorandum it submitted to the Authority after the hearing, repeats what it had stated in the memorandum before the discussion of the complaint, as well as what it developed in the hearing, arguing that there is a justified interest of the public to have access to the information, since it concerns the complainant in his professional capacity, which he still maintains, while the accuracy of this information is not disputed based on the information he provided and that he is not obliged to delete the above links under point 2-6 - additionally asserting that the link under point 1 does not appear as a result in the search engine based on the name of the complainant, while the following link still appears as a result in addition: ... The company further states that the complainant did not dispute their accuracy and only the element he presented is under no. ... Prosecution Order, which is in no way related to the right to oblivion and the information mentioned in the publications concerning ... and ..., as it was issued on the appeal of B against, among others, the complainant, who was acquitted of the offenses ..., rejecting the facts that connected him with the actions themselves. The company also points out that the invoked Prosecutor's Order is not capable of documenting his right to oblivion, as regards the disputed publications, as the latter relate to different factual incidents that may constitute different criminal acts, such as ... . In relation to the complaint of the complainant to the DPO of the company Google LLC, which the complainant considered to be the controller of the data posted on the Blogger online service, a hosting service that enables users to create personalized blogs with content of their choice, the company states that this service is provided by the company Google Ireland Ltd, based in Ireland, but neither the company Google LLC nor Google Ireland is responsible for the processing of personal data that users of the service may post using the Blogger service. The company Google Ireland is the hosting provider for the data collected on the service in the sense of no. 14 of the European Directive 2000/31/EC. Regardless of the above, as to the substance of the aforementioned complaint by ..., the company maintains that it is without object and unfounded, as the complainant had requested that Google LLC withdraw the following posts from the Blogger service claiming that, since Google LLC deleted the above links from search engine, Google LLC must withdraw the corresponding posts from the Blogger service and inform the editors of the following posts to do the same: I… ii … iii … iv… However, as the company claims, the above posts i, ii and iv have already been deleted from the Blogger service by the users of the service who posted them (Blogger users) and Google LLC deleted the above links from the search engine because the corresponding posts had been withdrawn by their publishers (Blogger users) and the only post that appears today is as follows: … The post in question includes a depiction of the complainant with … in a public space and a mention of his name, is not illegal, nor inaccurate and therefore cannot be deleted by its publisher and, although it was initially withdrawn by its publisher and Google LLC on had been deleted from the search engine, reposted but still not included in the search engine results. In addition, the company states that, as accepted by the decision no. 3672/17-12-2013 of the Supreme Court of Appeal of Italy, interpreting and applying the E-Commerce Directive, the person who posts (Blogger user) is the controller and the only person responsible for ensuring the legality of the information, while Google Ireland has no obligation to check the information, and no responsibility for any illegality thereof, provided that it is not aware of the illegality and that there is no court decision recognizing the illegality. In fact, according to article 14 par. 1 of PD 131/2003, which incorporated the above Directive, internet service providers "do not [...] have a general obligation to control the information they transmit or store, nor a general obligation to actively search for facts or circumstances that indicate that it is for illegal activities". GoogleIreland, as the provider of the Blogger service in the EEA and Switzerland, as stated by the company, hosts the Blogger posts on its servers based on the instructions of the users of the Blogger service, without determining the means or purposes of processing any of the personal data you use. of the service probably decide to include Blogger in their posts and the only controllers of the data posted on the Blogger service are the users of the service, in accordance with the cited decision PPA 457/2016 (TNP NOMOS). 

The Authority, after examining all the elements of the file and what emerged from the hearing before it and the memoranda of the parties, after hearing the rapporteur and the clarifications from the assistant rapporteur, who was present without the right to vote, after a thorough discussion, 

THINKS IN AGREEMENT BY LAW 

1. Since, from the provisions of articles 51 and 55 of the General Data Protection Regulation 2016/679 (GDPR) and article 9 of law 4624/2019 (Government Gazette A΄ 137) it follows that the Authority has the authority to supervise the application of the provisions of the GDPR, this law and other regulations concerning the protection of the individual from the processing of personal data. 

2. Because Google LLC, based in the United States of America, with its document No. C/EIS/10060/14-12-2018 informed the Authority that, although Google Ireland will be the controller for the user data collected and processed when users interact with Google services - including data collected through the Google search engine where users choose to store activity or search history data in their accounts - Google LLC will continue to be responsible for processing of the data of the classified content (index) of the Google search engine and to manage the deletion process in the context of the right to be forgotten. Therefore, in the case under consideration, the purpose and means of processing to satisfy the right to erasure (to be forgotten) according to Article 17 of the GDPR, are fully determined by the company Google LLC, as it states, whose facility is located outside the European Union. Therefore, although the specific activity concerns data subjects located in the territory of the Union, since the company Google LLC does not have a main establishment in the Union for the activity in question, the "one-stop mechanism" established by Articles 56 and 60 of the GDPR does not apply the GDPR and, therefore, in accordance with the provisions of articles 55 para. 1, 2 para. 1 and 3 para. 2 GDPR and 13 para. 1 letter g' of Law 4624/2019, the Authority has the authority to undertake the complaint of A, for violation of the right to erasure. 

3. Since the activity of Google Hellas/Athens (GOOGL HELLAS Internet Applications Sole Proprietorship Limited Liability Company) is the provision of marketing services to Google Ireland Ltd, the complaint about the rejected request to delete links in the context of satisfying the right to be forgotten is considered only in terms of company Google LLC as data processor of the classified content (index) of the Google search engine. 

4. Because according to Article 4 item 7 "controller" is "the natural or legal person, public authority, agency or other entity that, alone or jointly with others, determines the purposes and manner of personal data processing character", as the provision has been interpreted in detail by the CJEU and the SC. 

5. Because according to article 17 par. 1 of the GDPR, "the data subject has the right to request from the controller the deletion of personal data concerning him without undue delay and the controller is obliged to delete personal data without undue delay , if one of the following reasons applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, […], c) the data subject objects to the processing in accordance with Article 21 paragraph 1 and there are no compelling and legitimate reasons for the processing or the data subject objects to the processing in accordance with Article 21 paragraph 2, d) the personal data were processed unlawfully, [...]'. In paragraph 3 of the same article it is defined that "paragraphs 1 and 2 do not apply to the extent that the processing is necessary: a) for the exercise of the right to freedom of expression and the right to information [...]". 

6. Because in accordance with the above article 17 of the GDPR, as it has been interpreted according to the content of the Guidelines 5/2019 of the GDPR, the data subject has the right to request from the data controller the deletion of personal data concerning him without undue delay and the controller is obliged to delete personal data without undue delay if one of the grounds listed in Article 17 of the GDPR applies. The EDPS points out that, in the event that the deletion request is made for the first reason, i.e. the subject requests the deletion of content from the search results, when the subject's personal data is no longer necessary in relation to the purposes, from the search engine a balance must be ensured between the protection of privacy and the rights of Internet users when accessing information. In particular, it should be assessed whether, over time, the personal data has become obsolete or has not been updated. Also, the GDPR states that in the event that the deletion request is made for the third reason, i.e. the subject objects to the processing, then the GDPR provides stronger guarantees to data subjects than Directive 95/46, because the GDPR's right to object does not limit the grounds on which data subjects may request erasure pursuant to Article 17 para. 1 of the GDPR. The data subject can object to the processing "for reasons related to his particular situation", without having to demonstrate "compelling and legitimate reasons", as foreseen by Directive 95/46. The GDPR shifts the burden of proof and provides a presumption in favor of the data subject, obliging instead (the subject) the controller (in this case Google) to prove the compelling and legitimate reasons that make the processing absolutely necessary (Article 21 para. 1 GDPR). Consequently, when a search engine provider today receives a deletion request based on the particular situation of the data subject, it must now delete the personal data, in accordance with Article 17 para. 1 item. c) of the GDPR, unless it is able to demonstrate that there are "compelling and legitimate reasons" for the inclusion of the specific search result, which in combination with Article 21 paragraph 1 constitute "compelling and legitimate reasons (...) which override the interests, rights and freedoms of the data subject".

7. Because, according to the jurisprudence of the Court of Justice of the European Union, the data subject has the right to stop the information related to his person from being linked to his name through the list of results, which results from a search carried out based on the name of a natural person and in addition said search may result in users being able to obtain through the list of results, a systematic overview of the information available on the internet concerning said person and which enables users to form a , at least a detailed profile of the data subject, which concerns the privacy of the data subject.

8. Because, moreover, according to the jurisprudence of the Court of Justice of the European Union, it is up to the person, who requests the deletion of links, in case of alleged inaccuracy of the classified content, to prove the manifest inaccuracy of the information included in said content by presenting the evidence evidence which he may reasonably be expected to be able to seek, in the light of the circumstances of the particular case, in order to prove that manifest inaccuracy.

9. Because further, according to the jurisprudence of the Court of Justice of the European Union “[…] although the rights of the data subject protected by Articles 7 and 8 of the Charter prevail, as a rule, the legitimate interest of potentially interested internet users to access to the information in question, however, this balancing may depend on the critical circumstances of each case, in particular the nature of the information in question and its sensitivity to the privacy of the data subject as well as the public interest in having the information this, an interest which may vary depending, among other things, on the role played by the subject in question in public life [judgments of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 81, as well as of 24 September 2019, GC etc. (Delete links to sensitive data), C-136/17, EU:C:2019:773, paragraph 66]. 63. In particular, when the data subject plays a role in public life, he must show a greater degree of tolerance, given that he is unavoidably and knowingly exposed to public scrutiny (cf. ECtHR judgment of 6 October 2022, Khural and Zeynalov v. Azerbaijan , CE:ECHR:2022:1006JUD005506911, § 41 and case law cited there)'.

10. Because according to the Authority's jurisprudence, the reasons for submitting a link deletion request to the search engine service provider, such as Google, must be documented.

11. Because the Blogger online service is a hosting service that enables its users to create personalized blogs with content of their choice, edit and delete that content. In this case, it does not appear that the complained company is responsible for processing the posts of third parties contained in the Blogger service (with domain name "X") According to the Guidelines 5/2019 of the ESPD "it is not required of search engine providers that have receive an erasure request from a data subject to inform the third party that published said information on the internet."

12. Because in the case under consideration, according to the memorandum submitted to the Authority by the complainant after the hearing, the following links are retained as search results based on his name in the Google search engine:

i. …

ii. …

iii. …

iv. …

v. …

vi. …

while the other links mentioned in the complaint under consideration no longer appear as results based on the first name of the complainant in the Google search engine, as also emerged from a search by the Authority on 12-06-2023.

13. Because the under no. i, ii, iv. v. and vi. links referred to in paragraph 12 contain publications from the years 2008, 2011 and 2012. The information in question is considered outdated, as it is older than ten (10) years and furthermore concerns issues that are no longer of interest to the readership, so that the consideration of others is omitted criteria for their deletion.

14. Because the under no. iii. link referred to in paragraph 12 is a reproduction of a publication of the "Ψ" website, which has already been removed, following a relevant out-of-court statement by the complainant.

15. Because in the case under consideration, the request to delete the articles concerning the complainant and contained in the links mentioned above in paragraph 12, with domain name "X", which are posted on the Blogger service, has been unacceptably and illegally submitted to the complained company, which is not the controller of said posts.

Based on the above, the Authority unanimously decides that the complainant, as controller, should be given the order referred to in the executive order to comply with the complainant's request to delete the links resulting from the search engine, while the request to delete the articles should be rejected relating to the complainant and contained in the links in question.

FOR THOSE REASONS

The Authority: Orders, pursuant to the provision of article 58 par. 2 c of Regulation (EU) 2016/679, the company Google LLC, as data controller, to immediately proceed with the abolition-deletion of the links mentioned above in paragraph 12, as search results with the complainant's first and last name in the Google search engine.

It rejects the complainant's request to delete the articles that concern him and are contained in the links mentioned above in paragraph 12.

The president

The Secretary