HDPA (Greece) - 54/2024: Difference between revisions

Revision as of 21:51, 11 February 2025

HDPA - 54/2024

Authority:	HDPA (Greece)
Jurisdiction:	Greece
Relevant Law:	Article 12(2) GDPR Article 12(3) GDPR Article 17 GDPR Article 37(7) GDPR Article 7 CFR Article 8 CFR
Type:	Complaint
Outcome:	Upheld
Started:	06.11.2020
Decided:	29.06.2023
Published:	27.12.2024
Fine:	n/a
Parties:	A Google LLC Google Hellas
National Case Number/Name:	54/2024
European Case Law Identifier:	n/a
Appeal:	n/a
Original Language(s):	Greek
Original Source:	Website of HDPA (in EL)
Initial Contributor:	Sofia Papadopoulou

The Greek DPA orders the Controller (search engine company) to delete links appearing in results for the data subject's name and finds violations of GDPR Articles 12(2), 12(3), and 37(7), issuing enforcement orders accordingly.

English Summary

Facts

In 2020, the data subject filed a complaint with the Data Protection Authority (DPA) against Google LLC (Controller) for failing to fulfill their right to erasure (Article 17 GDPR) concerning links appearing in search results based on their name. The data subject argued that these results contained outdated information about a closed criminal case involving them.

The Controller partially complied with the request but retained one link. The data subject then identified additional publications that required deletion. However, the Controller failed to act within the 30-day deadline stipulated by Article 12(3) GDPR. Instead, it responded with an automated message, attributing the delay to the Covid-19 pandemic.

Before the DPA, the data subject presented the following arguments:

a. The Covid-19 pandemic is not a valid justification for delays under the GDPR or any other regulation. In any case, the Controller was required to inform the data subject within 30 days of any extension and its reasons.

b. The Controller claimed the erasure request was incomplete because it lacked the court judgment clearing the data subject of charges. In response, the data subject argued that the erasure request form imposes a character limit and does not allow attachments, preventing them from submitting supporting documents.

c. The data subject clarified that the deletion request was based on the data being outdated, not unclear, as the Controller asserted.

The Controller further stated that:

a. It provides multiple channels for data subjects to request data erasure, including direct email contact with its Data Protection Officer (DPO).

b. The undeleted link in question referred to a comment, which, according to the Controller, did not meet the criteria for erasure and did not contain any information directly linking it to the data subject.

Holding

After considering the arguments of both parties, the DPA reached the following conclusions:

1. Google LLC is the Data Controller, not Google Hellas/Athens, as it is responsible for the deletion process.

2. The data subject is not required to prove their claims, although they must be justified. The erasure request must be fulfilled unless the Controller demonstrates compelling and lawful reasons for continuing to process the data (Article 21(1) GDPR).

3. The remaining undeleted link could be associated with the data subject’s identity and past criminal cases.

4. While the DPA found that the Controller’s submission form allows unlimited characters, it lacks an attachment option, preventing data subjects from submitting supporting documents. The DPA concluded that this hinders the effective exercise of data subjects' rights, as they are forced to seek alternative communication methods. Thus, the Controller fails to facilitate the erasure request process.

5. The Controller did not comply with Article 12(3) GDPR, as a general, automated response does not meet the article’s requirements. The contact link for the Controller’s DPO did not include any contact details, making direct communication impossible.

Based on these findings, the DPA ordered the Controller to:

1. Provide an attachment option in the erasure request submission form.

2. Stop sending automated responses to submitted requests.

3. Publish the contact details of its DPO.

4. Delete the remaining link, as requested by the data subject.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.

Athens, 27-12-2024 No. Prot.: 3692 DECISION 54/2024 The Personal Data Protection Authority convened, upon invitation by its President, in a meeting on Tuesday 29-06-2023 at 10.00, in order to examine the case referred to in the history of this case. The President of the Authority, Konstantinos Menudakos, the regular members Spyridon Vlachopoulos, Konstantinos Lambrinoudakis, Charalambos Anthopoulos, Aikaterini Iliadou, as well as Christos Kalloniatis and Grigorios Tsolias, as rapporteurs, were present. Present, without the right to vote, were Stefania Plota, a specialist scientist - lawyer, as assistant rapporteur and Irini Papageorgopoulou, an employee of the administrative affairs department, as secretary. The Authority took into account the following: With the no. prot. C/EIS/7633/06-11-2020 and C/EIS/1538/03-03-2021 complaints to the Personal Data Protection Authority (hereinafter "Authority"), A (hereinafter "complainant"), complains to the company Google LLC (hereinafter "company"), for failure to satisfy the right to erasure (right to be forgotten). In particular, the complainant states in the first complaint under consideration that he addressed the company on ... submitting the no. …, …, …, …, …, …, …, …, …, …, … requests, exercising the right to be forgotten and requesting the deletion of the links referred to in the said requests that appear in the results of the Google search engine based on his name and surname, because “the results of the search engine are not up-to-date, as they only mention the personal data of the referral and temporary detention-pre-trial detention of the complainant in the year … and the year 1 Kifissias Avenue 1-3, 11523 Athens T: 210 6475 600 E: contact@dpa.gr www.dpa.gr…, but they do not complete the report with the outcome of the criminal case and the reference to the court decision of … . In other words, the transmission of outdated information conflicts with article 5 par. 1 point d’ of the General Data Protection Regulation which requires the updating of the data, which has not been carried out, thus violating the presumption of innocence of the complainant. Therefore, the retransmission as a “search result” of a personal data (prosecution and pre-trial detention) that is not updated with the outcome (judicial decision acquitting the complainant) is an illegal act and for this reason, Google must delete from the results the specific websites that were pointed out to it, in application of article 17 of the General Data Protection Regulation.” The company responded, as the complainant states, to the above requests by electronic mail, as follows: i. on … to requests no. …, …, concerning six (6) search engine results, for which it states that “It appears that the information you want Google to remove from the results list concerns criminal offenses. Based on the information at our disposal, we should conclude that this information is neither inaccurate nor outdated”, ii. on … – … on the requests …, …, …, …, …, …, for which the company states “Having assessed the balance of rights and interests relating to the specific content, including their relationship to your professional life, Google has decided not to block this content. Accordingly, Google has decided not to take action on these URLs”, and finally iii. on … on the requests …, …, …, in addition to the results referred to in point (i), the company replied that “the indicated web pages are not transmitted as search engine results or that they have already been withdrawn”. Subsequently, the complainant's attorney informed the Authority, on the one hand, with the email no. Γ/ΕΙΣ/8578/14-12-2020, that "there was partial compliance by the controller. We await the final settlement of the case, following our consultation with the Data Protection Officer. We kindly ask the Authority to wait until the expected development, as the problem may be resolved without the need for your intervention" and on the other hand, with the email no. Γ/ΕΙΣ/978/08-02-2021, that "the controller proceeded on ... to partially satisfy the right to deletion, for only some of the complained posts. Subsequently, on …, the data subject proceeded to submit a new deletion request for the posts that have not been deleted. At the same time, the data subject added deletion requests for other posts that concern him. However, the controller has not yet responded to our new requests. We intend today to address the Data Protection Officer of the controller again in writing. "With the no. prot. G/ΕΙΣ/1458/02-03-2021 memorandum, the complainant states that the company informed him of the deletion of eighteen links resulting from the deletion requests he submitted, concluding that "he notes that the thirty (30) day deadline for the satisfaction of his right to deletion ("right to be forgotten") was not respected, as provided for by article 12 of the General Regulation 2016/679 on the protection of personal data. On the contrary, while the requests were initially rejected, it subsequently took a time exceeding thirty (30) days from his address to the Data Protection Officer". Finally, regarding the only link that the company did not delete, the complainant's attorney, by e-mail dated …, stated that the response sent by the company was deemed satisfactory by the data subject. The Authority, in the context of examining the above complaint, invited the companies Google LLC, as the operator of the Google search engine, and Google Hellas with the document no. prot. C/ΕΣΕ/1027/07-04-2021 to provide their views on the complainants. The company Google LLC responded to the Authority with the document no. prot. C/ΕΙΣ/2781/23-04-2021 with the attached information, in which it stated the following: To the requests submitted to the company by the complainant on …, it responded on the same day with the following text “We have received your request. Your message is being processed, and we will evaluate your request as quickly as possible, given the volume of requests we have received. […] Due to the COVID-19 situation, we may need more time to respond to your request. 3We apologize for any inconvenience” and subsequently responded within a month to all of the complainant’s requests on … and …, as he pointed out, analyzing the reasons for rejecting each request. On … the complainant submitted a “Complaint before the Data Protection Officer of the company named Google LLC” partially modifying his requests and providing new information. Specifically: On the one hand, the complainant supplemented his requests to also concern the name AA in addition to the name A (“…among these results, there are also websites that refer to the complainant by name, either with the surname “A” or with the variant “AA” to which he refers […]”). On the other hand, he sent an excerpt from the no. …decision of the Three-Member Court of Appeal for Criminal Cases of Athens, which states that “D) It definitively terminates the criminal prosecution due to statute of limitations against the 2nd defendant A for the fact that […]”, amending the basis of the initial and already rejected requests for deletion in which they invoked that “…the court unanimously, after an agreed prosecutorial proposal, found the prosecution and temporary detention of Mr. A illegal and in excess of authority”, without in fact providing any evidence […]”. The company also states that after evaluating the complainant’s amended requests and the new evidence he submitted on … it satisfied his requests with respect to all links, except one, as the information referred to him is up-to-date and informed him accordingly on … . Therefore, as the company claims, it responded to the complainant within the deadline, satisfying all his requests, except one, and this response was deemed satisfactory by the complainant based on what he stated to the Authority and his complaint is without object and should be rejected by the Authority. As for the re-examination of the requests following the complainant's communication with the Data Processing Officer (hereinafter "DPO") of Google, the company states that "The complainant exercised the right to be forgotten on the grounds that the search results are inaccurate. On ... he did not provide any information required to prove that the data is manifestly inaccurate, therefore his requests were rejected within a month of their submission. On ..., the complainant sent information to Google regarding the inaccuracy of the information provided in the 4information links, amending and clarifying, in this regard, his requests regarding deletion of this information which had previously been rejected. Following this, Google responded to the complainant within a month, satisfying all of his requests, except one. Finally, in the letter in question, the company also referred to the complainant’s most recent of … and … sixty-two (62) requests for deletion, to which the company responded on the same day to the complainant’s attorney, as stated in the following email message: “[…] We have received your request. Your message is being processed, and we will evaluate your request as quickly as possible, given the volume of requests we have received […] Due to the impact of COVID-19, it may take us longer than usual to respond to your request. We apologize for the inconvenience.” The company points out that "in view of the above, it has informed the complainant in due time that further time will be required to handle his requests in accordance with Article 12, paragraph 3, subparagraph b of the GDPR, taking into account the circumstances of the pandemic and the large number of the complainant's requests (a total of 62 new requests)" and on the substance of the requests that, after evaluating the above requests, it will take measures to remove the links referred to in the requests from the results of the Google search engine based on the complainant's name, with the exception of one link, for which the conditions for deletion based on the invoked right to be forgotten are not met - with relevant justification of the company's decision - and points out that it may take several hours to implement the above actions and that these actions will not lead to the withdrawal of the content in question from the internet. The complainant, on the above memorandum of the complained company, which it itself communicated to the complainant, submitted to the Authority the memorandum under no. prot. C/ΕΙΣ/2939/06-05-2022, raising the following issues: 1. With each electronically submitted deletion request, the company sends an automated email, in which it responds that “due to COVID-19 conditions, we may need more time to respond to your request”, as justification for the delay in fulfilling Google’s obligations as a data controller which “has no basis in the GDPR or in other applicable legislation. Specifically, the response deadlines for data controllers under article 12 par. 3 are “without delay and in any case within one month of receipt of the request”. Furthermore, the deadline may be extended by two more months, but not “due to COVID-19”, or another pandemic incident, but only “taking into account the complexity of the request and the number of requests”. Furthermore, according to the same provision, Google is obliged in the event of exceeding one month to comply with the third subparagraph of paragraph 3, according to which “the controller shall inform the data subject of such extension within one month of receipt of the request, as well as of the reasons for the delay”. The company did not inform the applicant after the first 30 days of the reasons for making use of the extension, nor of the fact that it did not have the same court decision, as it now complains, and that it had a different interpretation of the Decision, which it is now informing the complainant about in the context of examining the complaint. The complainant also states that "the company, as an American giant in the Internet space, employs thousands of employees, who during the pandemic work from home, since the entire service of receiving and examining deletion requests due to GDPR violation is processed online and the physical presence of Google employees is not required for the timely and timely processing of deletion requests." Therefore, according to the complainant, the invocation of COVID-19, in addition to being legally unfounded, is also entirely irrelevant and the Authority should diagnose that the automated receipt sent by Google, with the unfounded, vague and irrelevant invocation of a possible delay due to COVID-19, does not constitute a legal fulfillment of Google's obligation, as a data controller, to inform the data subject about the use of the possibility of exceeding the legal deadline of 30 days. 2. The company states that the deletion requests were not complete, as the court decision itself, by which the subject was acquitted of the charges, was not included. The company unfoundedly invokes this decision, since a simple reading shows that the postings were not up-to-date, i.e. contrary to art. 5 par.1 of the GDPR, since they referred to a criminal prosecution and pre-trial detention of the complainant … years ago. “No court decision was required for Google to identify this, just as no court decision was provided in the famous Google Spain case, which found that the mere passage of a long period of time since the adverse personal data of the housing auction and its lack of timeliness were sufficient to recognize the obligation of the controller to check the deletion request under the then applicable Directive 95/46.” However, the fact that the court decision was not attached is due to the company because while “previously in the “Request Form for Removal of Personal Data – Removal under European legislation on personal data protection” there was also a space for attaching documents, so that data subjects could provide as complete material as possible, this no longer exists. …in the online request form for removal of personal data (accessible at the website: “https://www.google.com/webmasters/tools/legal-removalrequest? complaint_type=rtbf&visit_id=637530114519899199-3353308110&hl=el&rd=1”), there is absolutely no “field” that allows for the attachment of files, such as a .pdf file with a court decision. Furthermore, the number of letters (!) to which a text justifying the deletion request can be expanded has been dramatically limited, as, in the “Reason for Removal” field, the development of the reason is permitted by quoting text up to 1,000 characters (letters). However, this is a limitation on the right to erasure (Article 17 GDPR) that ultimately does not allow the data subject to exercise the right to completeness, so as to include the necessary documents but also to explain in detail to Google the legality problems that require the removal of the content, with the result that Google accepts requests, which it then deems incomplete at its discretion, so as to oblige the data subject to return through other means, such as contacting the Data Protection Officer in order to be able to submit a document or a more extensive justification for the deletion request. For these reasons, the Authority should reject as unfounded in law and substance Google's claims that it allegedly did not have complete information from the beginning to satisfy the deletion requests and should furthermore oblige Google to include in the online “Request Form for Removal of Personal Data – Removal based on European legislation on the protection of personal data” the special field for attaching files as well as to allow the submission of justification for the removal without any word limits.” 3. It would have no impact on the company's judgment if the sent excerpt of the court decision included only the reference to the statute of limitations and not the entire analysis of the lack of jurisdiction of the regular criminal court, since the mere claim that this case was completely out of date was sufficient, both with regard to the aspect of the complainant's pre-trial detention and with regard to the aspect of the non-inclusion of the outcome of the criminal prosecution, about which absolutely nothing was mentioned in the contested publications. Also, the complainant's memorandum states that "the company irrelevantly cites the analysis of the Article 29 Working Party regarding the examination of the accuracy of the data and the obligation of the data subject to justify why the data is not accurate, while in the present case, the right to be forgotten does not apply to "inaccurate" data, as the applicant does not dispute that he was indeed detained. The data is accurate. The problem they present is that they are not updated and it is one thing for the inaccuracy of the data to be one thing and another for the disputed data to be accurate, but not updated. This is why the GDPR in Article 5 refers on the one hand to accurate data and on the other hand to the fact that the data must be updated. They are two different cases" and the applicant is not obliged to point out the content of the missing update, but it is sufficient to simply report and prove that the data is not up-to-date, i.e. that ... years have passed, without the posts mentioning anything about the outcome of the case. 4. The company states in its memorandum that it will delete a set of posts submitted on … and …, i.e. 3 months have passed since the first date and 2 months since the second, while 8 is not legitimate to justify the delay due to Covid-19, as well as due to the large number of requests, as the requests may have been more, they were all based on the exact same legal basis and concerned exactly the same problem as that identified by the initial requests of …, namely posts that referred to the incident of the applicant’s pre-trial detention and prosecution, without being accompanied by a mention of the court judgment that exonerated the applicant. The complainant had also submitted the no. prot. C/ΕΙΣ/1538/03-03-2021 complaint against Google, in which it is stated that the complainant submitted to … requests for the deletion of sixty-three (63) “links-results from the search for his name, which present him as involved in a criminal case … and detained without reference to his release and in violation of article 5 par. 1 letter d of the General Regulation 2016/679, according to which personal data must be accurate and, when necessary, must be updated”, submitting to the Authority the Decision … of the Three-Member Court of Appeal for Criminal Cases. In its response letter under no. prot. C/ΕΙΣ/4057/18-06-2021, the company states that, in relation to the complainant’s requests from …, Google provides users multiple methods of submitting their requests, so that the relevant process is easy and effective for all users. Specifically, Google, through the special online form https://www.google.com/webmasters/tools/legalremoval- request? complaint_type=rtbf&visit_id=637590063287314128- 3790942157&hl=el&rd=1, which is available in the Greek language, provides the possibility of submitting a request with an unlimited number of characters, in such a way that any user, the complainant not exempted, can copy (“copy-paste”) even the entire text of the court decision invoked by him in the relevant field. The only limitation in this form is in the field for submitting the URLs whose withdrawal is requested, where it specifically states "You can enter one URL per line (Up to 1000 lines)". Thus, the complainant not only had the opportunity to develop his requests to the extent he wished and using an unlimited number of words in the relevant available field of the form on which there is no restriction, but also had the option to include all the URLs whose removal he requested in a single form instead of submitting completely abusively many dozens of separate requests within a period of only three months […] and the complainant had the option, alternatively, to submit to Google the invoked decision via a link (Google Drive), or even to directly address his request via email to Google's Data Protection Officer (DPO), with all the documents related to the request, as he ultimately did. "With regard to the second complaint, in addition to what he had already mentioned in the no. protocol. G/ΕΙΣ/2781/23-04-2021 letter to the Authority, Google states that, with regard to the links listed in the sixty-two new requests, it has already informed that it will take measures to withdraw them from the results of the Google search engine based on the complainant's name and refused to delete only the following link... As for the link in question, which concerns a comment under a post on the website in question, the company invokes - in combination with what it states in its letter to the Authority under the aforementioned protocol no. C/EIS/2781/23.04.2021 - the Guidelines of the Article 29 Working Party and the Costeja Decision, and claims that its deletion from the search results is not permitted in the present case based on the invoked right to be forgotten, as it appears that the conditions for submitting a deletion request based on this right are not met, since the information contained therein is related to the complainant's professional life, noting that the comment does not refer to the complainant either by name or based on any element of his personality (e.g. professional capacity), and - as such - it links him to with ..., and based on the available information, the company concludes that the information is recent, up-to-date, accurate and that there is still a public interest in accessing it. The complainant had refuted this claim in his memorandum mentioned above by ..., stating that "the comments that constitute an integral element of the post, because they are inevitably read by anyone seeking information 10 with the criterion of the name "A", also include the following outdated data about the applicant, which relate him to the aforementioned criminal prosecution for which he has been acquitted: "..."). The company also points out that, taking into account the fact that at the time of submitting the complaint, the deadline of article 12 par. 3 GDPR had not yet expired. b’ and already responded to all the complainant’s requests within the deadline with its memorandum, the complaint before the Authority is inadmissible. Finally, the complainant requested a copy of the company’s written opinions from …, which was granted to him and he did not submit any more opinions than the above from … . Subsequently, the Authority called with the no. prot. G/ΕΣΕ/1625/29-06-2022 and G/ΕΣΕ/1629/29-06-2022 documents the above-mentioned companies and the complainant, respectively, as legally represented, to attend, via videoconference, at the meeting of the Plenary of the Authority on Tuesday, 05-07-2022 in order to discuss the aforementioned complaints. At this meeting, the request for postponement submitted by the complainant was discussed, which was accepted by the Plenary. Subsequently, the Authority invited again with the no. prot. G/ΕΣΕ/2210/07-09-2022 and G/ΕΣΕ/2208/07-09-2022 documents the above-mentioned parties involved, respectively, as legally represented, to attend the meeting of the Plenary of the Authority on Tuesday, 13-09-2022 in order to discuss the aforementioned complaints. This meeting was attended by the complainant's attorney Vasilios Sotiropoulos (AMDSA …) and on behalf of the company Google LLC, the attorneys Chariklia Daouti (AMDSA …) and Evangelia Tsirigoti (AMDSA …). The attendees developed their views and were given a deadline for submitting memoranda. Subsequently, the complainant and the company submitted the no. prot. C/ΕΙΣ/10564/29-09-2022 and C/ΕΙΣ/10595/30-09-2022memorandums respectively. The complainant reiterated what he had stated in the documents he had submitted to the Authority, pointing out that “nowhere on the defendant’s website are the contact details of its DPO listed. According to article 37 par. 7, the controller publishes the contact details of the Data Protection Officer […]. The details of the defendant’s DPO are not published in the 11 “Request Form for the Removal of Personal Data” and we were not able to locate them anywhere else on the defendant’s website.” The company complained about reiterated what it had stated in the initial memorandum, pointing out that both complaints have been submitted prematurely and abusively, as before the respective response deadlines expired, the company fully satisfied the complainant's requests and additionally provided as relevant i. an affidavit from Google's Policy Specialist, in which she states that "in order to ensure data protection for users, Google has removed the option to attach documents to the removal request forms, in order to prevent sensitive information from being sent to an unsecured environment outside of Google's facilities and to protect data that may be processed by employees working from home", ii. a copy of the websites "https://support.google.com/policies/answer/9581826?hl=en - GB&visit_id=637986647862684826-125515017&rd=1#zippy=%2Creport-content-or- information%2Cget-help-with-privacy-related-questions%2Ccontact-googles-data- protection-office" and "https://support.google.com/policies/contact/general_privacy_form", through which Google provides the tools for users of its services to have the opportunity to contact its DPO, as stated by the company, and iii. the decision of the Supreme Court of Greece ... regarding the inadmissibility of a claim by the search engine regarding a method of filtering the information it contains. The Authority, after examining the elements of the file, after hearing the rapporteurs and the clarifications from the co-rapporteur, who attended without the right to vote, following a thorough discussion, HAS DECIDED IN ACCORDANCE WITH THE LAW 1. Whereas, from the provisions of articles 51 and 55 of the General Data Protection Regulation 2016/679 (GDPR) and article 9 of law 4624/2019 12 (Government Gazette 137) it follows that the Authority has the competence to supervise the implementation of the provisions of the GDPR, this law and other regulations concerning the protection of individuals from the processing of personal data. 2. Whereas Google LLC, based in the United States of America, with the no. prot. G/ΕΙΣ/10060/14-12-2018 informed the Authority in its document that, although Google Ireland will be the controller for user data collected and processed when users interact with Google services - including data collected through the Google search engine, where users choose to store activity data or search history in their accounts - Google LLC will continue to be the controller for the data of the classified content (index) of the Google search engine and to manage the deletion process in the context of the right to be forgotten. Therefore, in the case under consideration, the purpose and means of processing for the purpose of satisfying the right to deletion (to be forgotten) under Article 17 of the GDPR are fully determined by the company Google LLC, as it itself states, whose establishment is located outside the European Union. Therefore, although this specific activity concerns data subjects located in the territory of the Union, since Google LLC does not have a main establishment in the Union for the activity under consideration, the "one-stop shop" established by the GDPR under Articles 56 and 60 does not apply and, therefore, in accordance with the provisions of Articles 55 par. 1, 2 par. 1 and 3 par. 2 GDPR and 13 par. 1 letter g of Law 4624/2019, the Authority has the competence to deal with the complaints of A. 3. Since the activity of Google Hellas/Athens (GOOGLE HELLAS Internet Applications Single-member Limited Liability Company) is the provision of marketing services to Google Ireland, the complaint for the rejection of the request to delete links in the context of satisfying the right to be forgotten is examined only with respect to the company Google LLC as the data controller of the classified content (index) of the Google search engine. 134. Because according to Article 4(7) of the GDPR, "controller" is "the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data", as the provision has been analytically interpreted by the CJEU and the Council of State. 5. Whereas Article 12 GDPR provides, inter alia, that: “[…] 2. The controller shall facilitate the exercise of the rights of data subjects set out in Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to act on a request from the data subject to exercise the rights under Articles 15 to 22, unless the controller demonstrates that it is unable to verify the identity of the data subject. 3. The controller shall provide the data subject with information on the action taken on a request pursuant to Articles 15 to 22 without delay and in any event within one month of receipt of the request. That period may be extended by two further months, where necessary, taking into account the complexity of the request and the number of requests. The controller shall inform the data subject of such extension within one month of receipt of the request, as well as of the reasons for the delay. (…). 4. If the controller does not act on the data subject’s request, the controller shall inform the data subject, without delay and at the latest within one month of receipt of the request, of the reasons for not acting and of the possibility of lodging a complaint with a supervisory authority and of seeking a judicial remedy. (…). 6. Whereas, in accordance with Article 17 par. 1 of the GDPR, “the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed, […], c) the data subject objects to the processing pursuant to Article 21(1) and there are no compelling legitimate grounds for the processing or the data subject objects to the processing pursuant to Article 21(2), d) the personal data have been processed unlawfully, […]”. In para. 3 of the same article states that “paragraphs 1 and 2 shall not apply to the extent that processing is necessary: a) for the exercise of the right to freedom of expression and the right to information […]” 7. Because according to the above Article 17 of the GDPR, as interpreted in accordance with the content of the EDPB Guidelines 5/2019, the data subject has the right to request from the controller the erasure of personal data concerning him or her without undue delay and the controller is obliged to erase personal data without undue delay, 2 if one of the reasons referred to in Article 17 of the GDPR applies. The EDPB states that in case the request for erasure is made for the third reason, i.e. the subject objects to the processing, then the GDPR provides stronger guarantees to data subjects than Directive 95/46, because the GDPR right to object does not limit the grounds on which data subjects can request erasure under Article 17(1) of the GDPR. The data subject can object to the processing “on grounds relating to his or her particular situation”, without having to demonstrate “compelling and legitimate grounds” as provided for in Directive 95/46. The GDPR shifts the burden of proof and provides a presumption in favour of the data subject, obliging instead the data subject (the subject) to prove the compelling 1Guidelines 5/2019 of the European Data Protection Board on “the criteria governing the right to be forgotten under the GDPR in the case of search engines”. 2See Guidelines 5/2019 par. 27. 15and legitimate grounds which make the processing strictly necessary (Article 21 par. 1 GDPR). Consequently, when a search engine provider receives a request for erasure based on the particular situation of the data subject, it is now obliged to erase the personal data, in accordance with Article 17 par. 1 lit. c) of the GDPR, unless it can demonstrate that there are “compelling and legitimate reasons” for including the specific search result, which in conjunction with Article 21(1) constitute “compelling and legitimate reasons (...) which override the interests, rights and freedoms of the data subject”. 8. Whereas, according to the case-law of the Court of Justice of the European Union, the data subject has the right to have information relating to him or her no longer linked to his or her name in the list of results resulting from a search carried out on the basis of the name of a natural person and, furthermore, that search may result in users being able to obtain, through the list of results, a systematic overview of the information available on the internet concerning that person and which enables users to form a more or less detailed profile of the data subject, which concerns the private life of the data subject .5 9. Whereas, moreover, according to the case-law of the Court of Justice of the European Union, it is for the person requesting the deletion of links, in the event of alleged inaccuracy of the classified content, to prove the manifest inaccuracy of the information included in the said content by providing the evidence, which it can reasonably be expected to be able to seek, in the light of the circumstances of the specific case, in order to prove this manifest inaccuracy. 10. Furthermore, according to the case-law of the Court of Justice of the European Union, “[…] although the rights of the data subject protected by Articles 7 and 8 of the Charter generally outweigh the legitimate interest of potentially interested internet users in having access to the information in question, that balancing may nevertheless depend on the relevant circumstances of each case, in particular the nature of the information in question and its sensitivity for the data subject’s private life, as well as the public interest in having access to that information, an interest which may vary depending, inter alia, on the role played by the data subject in public life [judgments of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317, paragraph 81, and of 24 September 2019, GC and Others (De-linking of sensitive data), C-136/17, EU:C:2019:773, paragraph 66]. 63. In particular, where the data subject plays a role in public life, he must demonstrate a greater degree of tolerance, given that he is inevitably and knowingly exposed to public scrutiny (cf. judgment of the ECtHR of 6 October 2022, Khural and Zeynalov v. Azerbaijan, CE:ECHR:2022:1006JUD005506911, 7 § 41 and the case-law cited therein)”. 11. Since, according to the case-law of the Authority, the grounds for submitting a request for de-linking to a search engine service provider, such as 8 Google, must be substantiated. 12. Since, in accordance with Article 37(7) GDPR, the controller shall publish the contact details of the DPO and as provided for in the Guidelines of the Article 29 Working Party, the contact details of the DPO must include information that allows data subjects and supervisory authorities to contact the DPO in an easy manner, such as a postal address, a contact telephone number, and/or a contact telephone number. 13. Whereas, with regard to the first complaint regarding the complainant's requests submitted to the company on … and concerning fifteen (15) links, it appears from all the information in the case file, the hearing and the submitted memoranda that the company ultimately satisfied the request for deletion of the fourteen (14) links contained therein. Furthermore, for one link … the company states that "the relevant information refers to criminal offenses for which there is public interest for historical reasons and is updated based on the latest developments of the events to which they refer. Based on the information at our disposal, we conclude that the information is up-to-date, accurate and there is still public interest in accessing it" and the complainant stated to the Authority that he is satisfied with the company's response. In a search by the Authority on 05-05-2023, the said link does not appear as a result in the Google search engine based on the complainant's name and surname and also, the same link leads to the information that "the article was not found". Therefore, with regard to the substance of the requests for deletion of the fourteen (14) links contained in the complainant's first complaint and which have been satisfied as set out above, as well as with regard to the request for deletion of the aforementioned fifteenth link, the complaint no longer has any purpose and there is no reason to examine it further. 14. Because, with regard to the complainant's request for deletion, the only link, ..., which the company refuses to delete, out of the total of seventy-four (74) links, the deletion of which the complainant had requested, contains a comment from a reader of the article listed below the text and, although the complainant's name is not mentioned in this comment, the link to the article is inseparable for the reader of the post and, therefore, has the result that anyone searching for information based on the complainant's name is led to this result, 18 which consists of the article together with the comment which, as a single whole, constitutes information, which refers to the data subject, and the average Internet user can perceive that the comment in question refers to the complainant. The information in question concerns a case of ..., for which the complainant was remanded in custody and then the acquittal decision was issued on …, the subject of the links for which the company had already satisfied the complainant's requests. Therefore, the Authority considers that the company unlawfully refuses to satisfy the complainant's right to deletion in accordance with article 17. And although following a search by the Authority on 05-05-2023 using the complainant's name as a criterion in the Google search engine, the link in question did not appear as a result, the company, however, has an obligation to confirm that the link in question has been deleted/removed from the results of the Google search engine. 15. Because, following the above, the Authority is in a position to examine the complainant's allegations concerning the exercise of the rights of the subjects with regard to (i) the possibility of attaching documents, and (ii) the use of a sufficient number of characters in the "Request for Removal of Personal Data Form". In particular, the complainant states that it is not possible to attach documents and that there is a text limit of one thousand (1000) characters, which limits the right to deletion, as the subject is not allowed to include the necessary documents and to explain in detail to the company the legality problems that require the removal of the content. In checking the link referred to in the complainant's Memorandum https://www.google.com/webmasters/tools/legal- removalrequest? complaint_type=rtbf&visit_id=637530114519899199- 3353308110&hl=el&rd=1, which contains the electronic form in question, it appears that in the field “Reasons for Removal” of the link, where the applicant is asked to explain “(1) how the personal information identified above relates to the individual concerned by the specific request and (2) why you believe the personal information should be removed”, the possibility of recording text with an unlimited number of characters is provided. A limitation in the form in question is found in the field for submitting the links, the withdrawal of which is requested, where it specifically states “You may enter one URL address per line (Up to 1000 lines)”. Therefore, regarding the permitted number of characters, it does not appear that the submission of the right to erasure of the subject and specifically of the complainant is limited. On the contrary, regarding the possibility of attaching documents, the company states that “the complainant had the option, alternatively, to submit to Google the cited decision via a link (Google Drive), or even to directly address his request via email to the Data Protection Officer (DPO) of Google, with all the documents related to the request, as he ultimately did”, adding to the above argument for the large number of characters in the “Reasons for deletion” field that the complainant could “copy-paste” even the entire text of the cited judicial decision into the relevant field”. Additionally, with no. C/ΕΙΣ/10595/30-09-2022memorandumthecompanyfurtherstatesthat"Googleduringthepandemicsuspendedtheabilitytosubmitattacheddocuments,duetotheemergencyandspecialneedsthathademerged",providinganaffidavitfromGoogle'sPolicySpecialist,inwhichhestatesthat"inordertoensuredataprotectionforusers,Googleremovedtheoptiontoattachdocumentsintheremovalrequestforms,inordertopreventsensitiveinformationfrombeingsenttoanunsecureenvironmentoutsideGoogle'sfacilitiesandtoprotectthedatathatmaybeprocessedbyemployeesworkingfromhome". However, in accordance with Article 12 GDPR referred to in paragraph 5, and given that ensuring the sending of “sensitive information” in an insecure environment can be achieved by other means, without prohibiting the submission of attached documents, the request submission form, which the subject completes, must provide him with all the possibilities to submit a complete request, if this concerns the exercise of a right under the GDPR. A full and complete exercise of a right is not understood when the subject is obliged to use alternative channels, such as the methods of submitting documents mentioned by Google, 20 an action that entails delay and creates obstacles to the exercise of the right. Therefore, in the Authority's opinion, since the company does not provide the possibility of attaching a file to the Personal Data Removal Request Form, although documents may be required as a necessary element of documentation, it does not sufficiently facilitate the exercise of the subjects' rights and violates Article 12(2) of the GDPR and, therefore, it is necessary to provide from now on the possibility of attaching a file to document what the subject supports in the Request for Removal of Association. 16. Since the Authority finds that in the case under examination the complainant was not given the opportunity to attach to the requests he submitted to the company on … the court decision, which was subsequently proven to be an element of documentation that led to the deletion of the links and, therefore, the exercise of the right was not carried out properly, not due to the fault of the complainant - other than his failure to include the term "AA", in addition to the term "A" in his above request - but due to the procedure applied by the company. Therefore, the company's claim that the first complaint is inadmissible because it was submitted before the deadline of article 12 par. 3 of the GDPR, due to the fact that the complainant resubmitted the erasure requests to the company's Data Protection Officer on …, notifying the exculpatory court decision, to which the company responded on … . 17. Because the company informed the complainant who submitted the erasure request by automated message that it might take “more time” to respond to the request, citing the Covid- pandemic. However, from Article 12 par. 3 of the GDPR, according to which the controller must respond to the exercise of the subject's right in any case within a period of one month from receipt of the request, which may be extended by two more months, due to the complexity of the request and the number of requests, it does not follow that the pandemic in itself constitutes a reason for extending the 21satisfaction of the subjects' rights. In this regard, the Authority has accepted that “the obligation to satisfy the rights exercised by data subjects is maintained intact when performing work remotely”, while “as regards any delays in responding to requests that constitute the exercise of rights by subjects, in this case in particular by employees, that on the one hand, no provision of the GDPR and national legislation provides for the temporary suspension of the relevant deadlines and obligations to satisfy rights, and on the other hand, that it constitutes an obligation for the controller to internally document the reasons for the delay or non-satisfaction of the exercised rights, taking into account both the legal principle “no one is obliged to the impossible”, as well as the subject matter and conditions of the controller’s activity that may be burdened by the emergency condition (such as hospitals in the case of the pandemic). In any case, any invocation of reasons for relevant delays both towards data subjects and towards the Authority in the exercise of its supervisory powers should be particularly documented and not pretentious given that the required technical and organizational measures should have already been taken and implemented before the start of the processing of personal data. " In the case under examination, from the information in the file, it appears that the company sends an automated general message citing the pandemic, regardless of the subject matter of the request and the data related to its satisfaction, without examining each request separately to determine whether, based on the circumstances prevailing in the specific case, it becomes necessary to extend the deadline set by the above provision for its satisfaction and without specifically mentioning in this message the time of extension of the deadline. In the case under examination, the company claims that the complainant submitted on ... and ... a total of sixty-three (63) requests in a separate request submission form for each link, a fact which significantly hindered and delayed its work, 10 See Decisions 5/2020 and 32/2021 of the Authority available on its website.

22and that the requests were submitted abusively because they are repetitive and

they were not all submitted in one form. This claim of the company

is based on an incorrect version because each request concerned a different link and,

therefore,these requests are not repetitive and are nevertheless valid

because the submission of these requests cannot be characterized as

abusive. Given these data, the information in question, which is provided in

a horizontal and automated manner and is not personalized and

specifically justified, does not cover the conditions set out in Article 12

paragraph 3 of the GDPR and, therefore, there is a violation of this provision.

18. Because, regarding the possibility of the subject communicating with the company's DPO, following a search by the Authority in the links provided by the company in its memorandum under no. Γ/ΕΙΣ/10595/30-09-2022, it emerged that

there is a link that leads to the completion of a form so that the

subject can communicate with the company's DPO office, without, however, providing the

contact details of the DPO, which must henceforth be provided in a clear

point on its website, although the subject is provided with the possibility of

contacting the company's DPO office in the above manner.

Therefore, the Authority considers that the company Google LLC violates article 37 par. 7

GDPR due to the non-publication of the DPO's contact details, in accordance with

what is mentioned above in paragraph 12.

19. Therefore, from the entire file and the hearing,

it emerges that the company has violated Articles 12 par. 2 and 3, 17 and 37 par. 7

of the GDPR.

Based on the above, the Authority unanimously decides that the

remedial measures referred to in the operative part should be imposed on the

complainant, as controller, the

respondents.

23 FOR THESE REASONS

The Authority

A. Finds that Google LLC, as controller, has

violated Article 12 par. 2 of the GDPR and orders Google LLC,

pursuant to Article 58 par. 2 item c’ of the GDPR, to provide the subjects with the possibility

of attaching a file to document what they support when exercising

their rights within the framework of the GDPR, in accordance with the above paragraph

15.

B. Finds that Google LLC, as controller, has

violated Article 12 par. 3 of the GDPR and orders Google LLC,

pursuant to Article 58 par. 2 lit. c’ of the GDPR, to cease the practice of sending

automated general-non-personalized information messages to

subjects, in accordance with the above paragraph 17.

C. Finds that Google LLC, as controller, has

violated Article 37 par. 7 of the GDPR and instructs Google LLC,
pursuant to Article 58, paragraph 2, item d, to publish the contact details of the

Data Protection Officer in a prominent place on its website,

in accordance with the above paragraph 18, within two (2) months from the notification of

this.

D. Instructs, pursuant to Article 58, paragraph 2, item c of the GDPR,

Google LLC, as controller, to immediately remove

the link referred to above in paragraph 14 as a result of a search for

the complainant's name and surname in the Google search engine.

24 The President The Secretary

Konstantinos Menudakos Irini Papageorgopoulou

25

@@ Line 87: / Line 87: @@
 a. The Covid-19 pandemic is not a valid justification for delays under the GDPR or any other regulation. In any case, the Controller was required to inform the data subject within 30 days of any extension and its reasons.
 b. The Controller claimed the erasure request was incomplete because it lacked the court judgment clearing the data subject of charges. In response, the data subject argued that the erasure request form imposes a character limit and does not allow attachments, preventing them from submitting supporting documents.
 c. The data subject clarified that the deletion request was based on the data being outdated, not unclear, as the Controller asserted.
@@ Line 93: / Line 95: @@
 a. It provides multiple channels for data subjects to request data erasure, including direct email contact with its Data Protection Officer (DPO).
 b. The undeleted link in question referred to a comment, which, according to the Controller, did not meet the criteria for erasure and did not contain any information directly linking it to the data subject.
@@ Line 99: / Line 102: @@
 . Google LLC is the Data Controller, not Google Hellas/Athens, as it is responsible for the deletion process.
 . The data subject is not required to prove their claims, although they must be justified. The erasure request must be fulfilled unless the Controller demonstrates compelling and lawful reasons for continuing to process the data (Article 21(1) GDPR).
 . The remaining undeleted link could be associated with the data subject’s identity and past criminal cases.
 . While the DPA found that the Controller’s submission form allows unlimited characters, it lacks an attachment option, preventing data subjects from submitting supporting documents. The DPA concluded that this hinders the effective exercise of data subjects' rights, as they are forced to seek alternative communication methods. Thus, the Controller fails to facilitate the erasure request process.
-. The Controller did not comply with [[Article 12 GDPR#3|Article 12(3) GDPR]], as a general, automated response does not meet the article’s requirements.
-The contact link for the Controller’s DPO did not include any contact details, making direct communication impossible.
+. The Controller did not comply with [[Article 12 GDPR#3|Article 12(3) GDPR]], as a general, automated response does not meet the article’s requirements. The contact link for the Controller’s DPO did not include any contact details, making direct communication impossible.
 Based on these findings, the DPA ordered the Controller to:
 . Provide an attachment option in the erasure request submission form.
 . Stop sending automated responses to submitted requests.
 . Publish the contact details of its DPO.
 . Delete the remaining link, as requested by the data subject.