AEPD (Spain) - EXP202202000: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 63: Line 63:
}}
}}


The Spanish DPA held that Google LLC had a legal obligation to preserve search results related to publications from a competition procedure and rightfully rejected a data subject's request to de-index the search results relating to their name.  
The Spanish DPA held that Google LLC was under a legal obligation to preserve search results relating to an employee selection process at a public body and rightfully rejected a data subject's request to de-index the search results relating to their name.  


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The data subject exercised their right to erasure by requesting Google LLC (''controller'') to block search results of 4 URLs that contained their personal data. The controller denied this twice per email. The data subject then filed a complaint with the Spanish DPA.  
The data subject exercised their right to erasure by requesting Google LLC (''controller'') to de-index search results of four URLs that contained their personal data. The controller rejected this request twice. The data subject then filed a complaint with the Spanish DPA. During the investigation, the controller reconsidered and removed two of the four URLs. The two remaining URLs concerned an employee selection process at the State General Administrative Body. A provisional list of candidates and assessments were published in relation to the selection process. 


The DPA notified the controller's DPO of the complaint, who indicated that it previously denied the request twice. However, during the investigation, the controller reconsidered and removed 2 of the 4 URLs. The two remaining URLs related to the State General Administrative Body competition. A provisional list of candidates and an assessment were published in relation to the selection procedure.  
The controller stated that the two remaining URLs refer to information that is of public interest. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information there should therefore be accessible without restrictions. The controller argued that the CJEU had held that search results should only be de-indexed after a balancing test of the rights at stake, namely the right to be forgotten and freedom of information. The right to be forgotten cannot imply a retrospective censorship of information correctly published at the time.  


The controller stated that the two remaining URLs refer to information that is relevant and of public interest related to the professional life of the data subject. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information should therefore be accessible without restrictions.  
=== Holding ===
The DPA noted that under [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to domestic Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate due to reasons of public interest.<ref>Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.</ref> 


The controller argued that the CJEU has declared that search results should only be blocked after a balancing test of the rights at stake (right to be forgotten and freedom of information). The right to be forgotten cannot imply a retrospective censorship of the information correctly published at the time.
The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to keep the URLs. Thus, the balance that Google LLC struck in its decision to reject the de-indexing requests was permissible.
 
=== Holding ===
The DPA noted that under  [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], data shall not be erased if they are necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down  in the rules for the procedure or (2) when the competent body deems it appropriate for the public interest.<ref>Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.</ref> The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to keep the URLs. Thus, there is no interference with the data subject's right to privacy.  


The DPA dismissed the data subject's claim with respect to the two remaining URLs.
The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.


== Comment ==
== Comment ==

Revision as of 15:40, 7 September 2022

AEPD - PD-00081-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 17(3)(b) GDPR
Type: Complaint
Outcome: Rejected
Started: 02.02.2022
Decided: 16.08.2022
Published: 16.08.2022
Fine: n/a
Parties: Google LLC
National Case Number/Name: PD-00081-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: PL

The Spanish DPA held that Google LLC was under a legal obligation to preserve search results relating to an employee selection process at a public body and rightfully rejected a data subject's request to de-index the search results relating to their name.

English Summary

Facts

The data subject exercised their right to erasure by requesting Google LLC (controller) to de-index search results of four URLs that contained their personal data. The controller rejected this request twice. The data subject then filed a complaint with the Spanish DPA. During the investigation, the controller reconsidered and removed two of the four URLs. The two remaining URLs concerned an employee selection process at the State General Administrative Body. A provisional list of candidates and assessments were published in relation to the selection process.

The controller stated that the two remaining URLs refer to information that is of public interest. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information there should therefore be accessible without restrictions. The controller argued that the CJEU had held that search results should only be de-indexed after a balancing test of the rights at stake, namely the right to be forgotten and freedom of information. The right to be forgotten cannot imply a retrospective censorship of information correctly published at the time.

Holding

The DPA noted that under Article 17(3)(b) GDPR, personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to domestic Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate due to reasons of public interest.[1]

The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to keep the URLs. Thus, the balance that Google LLC struck in its decision to reject the de-indexing requests was permissible.

The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

(June 28, 2022). The director of the Spanish Agency for Data Protection (AEPD), Mar España Martí, and the president of UNICEF Spain, Gustavo Suárez Pertierra, have signed a General Protocol of Action for the development of actions aimed at the protection of...
  1. Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.