AEPD (Spain) - EXP202202000: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 75: Line 75:
The DPA noted that under [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to Spanish Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate for reasons of public interest.<ref>Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.</ref>   
The DPA noted that under [[Article 17 GDPR#3b|Article 17(3)(b) GDPR]], personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to Spanish Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate for reasons of public interest.<ref>Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.</ref>   


The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to not de-index the URLs. Thus, the balance that Google LLC struck in its decision to reject the de-indexing requests was permissible.
The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to not de-index the URLs. Thus, Google LLC could reject the de-indexing requests on this basis.  


The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.
The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.

Revision as of 23:16, 7 September 2022

AEPD - PD-00081-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 17(3)(b) GDPR
Type: Complaint
Outcome: Rejected
Started: 02.02.2022
Decided: 16.08.2022
Published: 16.08.2022
Fine: n/a
Parties: Google LLC
National Case Number/Name: PD-00081-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: PL

The Spanish DPA held that Google LLC was under a legal obligation to preserve search results relating to an employee selection process at a public body and rightfully rejected a data subject's request to de-index the search results relating to their name.

English Summary

Facts

The data subject exercised their right to erasure by requesting Google LLC (controller) to de-index search results of four URLs that contained their personal data. The controller rejected this request twice. The data subject then filed a complaint with the Spanish DPA. During the investigation, the controller reconsidered and removed two of the four URLs. The two remaining URLs concerned an employee selection process at the State General Administrative Body. A provisional list of candidates and assessments relating to the selection process were published on the body's website.

The controller stated that the two remaining URLs referred to information that was of public interest. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information there should therefore be accessible without restrictions. The controller further argued that the CJEU had held that search results should only be de-indexed after a balancing test of the rights at stake, namely the right to be forgotten and freedom of information. The right to be forgotten cannot imply a retrospective censorship of information correctly published at the time.

Holding

The DPA noted that under Article 17(3)(b) GDPR, personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to Spanish Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate for reasons of public interest.[1]

The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to not de-index the URLs. Thus, Google LLC could reject the de-indexing requests on this basis.

The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

3/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
The aforementioned resolution granted the respondent entity a hearing so that it could
present the allegations it considered appropriate within fifteen working days. In
summary, the entity made the following allegations:
The respondent reiterates the same allegations submitted on 29 March 2022 and adds
that, with regard to the fact that this Agency has been informed that, through the
publication of a Resolution, the complainant has passed the opposition, it should be
pointed out that, at the date of the allegations, this resolution has not become final and
can be appealed, and furthermore, it highlights the timeliness and accuracy of the
information.
The public relevance of the information in question explains why the authorities have
published it at the headquarters of the National Statistics Institute, in accordance with
the legally established procedure, so that it is accessible without restriction and can
also be located through search engines such as Google.
Institutional websites play an extremely important role in keeping society informed of
matters that the public authorities consider to be of interest to citizens. In view of the
decision to make the information in question accessible without restriction, it can be
concluded that the authorities have determined that their public interest must prevail
over the complainant's right to data protection.
FOURTH: Having examined the allegations presented by the respondent, they are
transferred to the claimant so that, within a period of fifteen working days, it may
present any allegations it deems appropriate:
The complainant states that he is not requesting that the web pages be removed, but
that they should not be accessed by entering his name, that he is not a public figure or
a celebrity, and that therefore there is no interest for third parties.
FIFTH: Once the allegations presented by the claimant have been examined, they are
transferred to the respondent so that, within fifteen working days, it may present the
allegations it deems appropriate:
The Respondent reiterates the same allegations submitted on 9 May 2022.
THE LEGAL BASIS
FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in
accordance with the provisions of paragraph 2 of Article 56 in relation to paragraph 1 f)
of Article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data (hereinafter,
RGPD); and Article 47 of the LOPDGDDD.
SECOND: In accordance with the provisions of Article 55 of the RGPD, the Spanish
Data Protection Agency is competent to carry out the functions that
4/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
Article 57, including enforcing the Regulation and promoting the awareness of
controllers and processors of their obligations, as well as dealing with complaints
lodged by a data subject and investigating the grounds for such complaints.
Article 31 of the GDPR establishes the obligation of controllers and processors to
cooperate with the supervisory authority on request in the performance of its tasks. In
the event that they have appointed a data protection officer, Article 39 of the GDPR
confers on the latter the task of cooperating with the supervisory authority.
Similarly, the domestic legal system, in Article 65.4 of the LOPDGDD, has provided for
a mechanism prior to the admission for processing of claims made to the Spanish Data
Protection Agency, which consists of transferring them to the data protection officers
designated by the data controllers or data processors, for the purposes provided in
Article 37 of the aforementioned regulation, or to the latter when they have not been
designated, so that they may proceed to analyse the claims and respond to them within
a period of one month.
In accordance with these regulations, prior to the admission for processing of the
complaint that gave rise to this procedure, the complaint was transferred to the entity
responsible so that it could proceed with its analysis, provide this Agency with a
response within a period of one month and accredit that it had provided the claimant
with the appropriate response, in the event of the exercise of the rights regulated in
Articles 15 to 22 of the GDPR.
The result of this transfer did not allow the claims of the complainant to be considered
satisfied. Consequently, on 12 April 2022, for the purposes set out in Article 64.2 of the
LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the
complaint submitted for processing. Said agreement to admit for processing
determines the opening of the present procedure for failure to attend to a request to
exercise the rights established in Articles 15 to 22 of the RGPD, regulated in Article
64.1 of the LOPDGDD, according to which:
"Where the procedure relates exclusively to the failure to deal with a request for the
exercise of the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, it
shall be initiated by an agreement on admissibility, which shall be adopted in
accordance with the following Article.
In this case, the time limit for resolving the procedure shall be six months from the date
on which the claimant was notified of the decision to admit the claim for processing.
Once this period has elapsed, the interested party may consider his or her claim to
have been upheld.
It is not considered appropriate to determine administrative responsibilities in the
framework of a sanctioning procedure, the exceptional nature of which implies that,
whenever possible, alternative mechanisms that are covered by the regulations in force
should prevail.
7/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
"(...) a data processing (...) carried out (...) by the operator of a search engine) carried
out by the operator of a search engine may significantly affect the fundamental rights to
respect for private life and the protection of personal data where the search carried out
using that search engine is carried out on the basis of the name of a natural person,
since such processing enables any internet user to obtain, by means of the list of
results, a structured view of the information relating to that person which can be found
on the internet, potentially concerning a multitude of aspects of that person's private
life, which, without that engine, would not have been interconnected or could only with
difficulty have been interconnected, and which thus enables him to establish a more or
less detailed profile of the person concerned. Moreover, the effect of the interference
with those rights of the data subject is multiplied by the important role played by the
internet and search engines in modern society, which make the information contained
in such a list of results ubiquitous (see, to that effect, Joined Cases C-509/09 and C-
161/10 eDate Advertising and Others, EU:C2011:685, paragraph 45).
"The Court holds that the removal of links from the list of results on the basis of the
name of the natural person concerned by the dissemination of the news item could
have an impact on the legitimate interest of internet users potentially interested in
having access to the information in question, and that it is therefore necessary to strike
a fair balance between that interest and the fundamental right of the person concerned
under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union".
"(...) in order to comply with the rights provided for in those provisions, the operator of a
search engine is obliged, provided that the conditions laid down therein are actually
met, to remove from the list of results obtained following a search based on the name
of a person links to websites published by third parties and containing information
relating to that person, even if that name or that information is not previously or
simultaneously removed from those websites and, where appropriate, even if the
publication on those websites is in itself lawful".
Consequently, the processing of personal data by the operator of a search engine
makes it possible to obtain from a 'name' a list of results providing information about an
individual which may concern his private sphere. Once the data subject has submitted
his request for deletion of his personal data to the search engine, the search engine
must examine it and, if necessary, delete the specific links from the list of results,
without having to contact the website operator before or at the same time.
It also follows that the conflicting rights and interests must be weighed in each specific
case in order to determine which right prevails.
For the purposes of carrying out the task of weighing up, it is worth recalling the
Supreme Court's judgment, number 545/2015, of 15 October 2015, which states that
"the so-called "right to digital oblivion", which is a specification in this field of the rights
derived from the quality requirements of the processing of personal data, does not
protect everyone from constructing a past to suit themselves, forcing publishers to
10/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
by means of their name and surname, adding four random numerical digits of the
national identity card, foreigner's identity number, passport or equivalent document",
such publication of personal data does not depend on the will of the data subject, in
this case it is verified that in URLs 2 and 3, it complies with this provision.
The accessibility of publications on the website of a public institution has as its
functions the guarantee of legal certainty, control of the activity of public authorities and
administrative transparency.
Therefore, it is not appropriate to de-index URLs 2 and 3, given that there may be a
legitimate or collective interest, given that, otherwise, the legal order would be
breached and the public interest would be harmed, likewise, this Agency has verified
that in said URLs, the full DNI of the claimant is not accessed, thus complying the
public institution with the seventh additional Provision of the LOPDGDDD.
Consequently, there is no interference with the fundamental right to privacy of the
complainant.
In accordance with the Judgment of the Court of Justice of the European Union at
paragraph 99:
"Article 12(b) and Article 14(a) of Directive 95/46 must be interpreted as meaning that,
when analysing the conditions for the application of those provisions, it is necessary to
examine, in particular, whether the data subject has a right to have the information in
question relating to him no longer linked to his name by a list of results obtained
following a search carried out on the basis of his name, without the assessment of the
existence of such a right presupposing that the inclusion of the information in question
in a list of results obtained following a search carried out on the basis of his name is
not necessary, in the present situation, linked to his name by a list of results obtained
following a search carried out on the basis of his name, without the assessment of the
existence of such a right presupposing that the inclusion of the information in question
in the list of results would cause prejudice to the data subject. Since the data subject
may, having regard to the rights conferred on him by Articles 7 and 8 of the Charter,
request that the information in question no longer be made available to the general
public by inclusion in such a list of results, those rights prevail, in principle, not only
over the economic interest of the operator of the search engine, but also over the
interest of that public in having access to that information in a search relating to that
person's name. However, that would not be the case if it appeared, for specific
reasons, such as the role played by the person concerned in public life, that the
interference with his fundamental rights was justified by the overriding interest of that
public in having, as a result of that inclusion, access to the information in question".
That judgment also states in paragraph 93: 'even an initially lawful processing of
accurate data may, over time, become incompatible with that directive where those
data are no longer necessary in relation to the purposes for which they were collected
or processed. This is the case, in particular, where they are inadequate, irrelevant or
no longer relevant or are excessive in relation to those purposes and the time which
has elapsed".
From an analysis of the legal requirements, we are faced with documents published on
the website of a public institution, which, in order to maintain
11/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
informed society and to make matters managed by the institution as widely known as
possible, it uses search engines.
In this case, it has not been accredited that the data and information contained in the
published documentation is inaccurate or obsolete, and therefore the complaint in
relation to URLs 2 and 3 should be rejected as there is no evidence that the selection
process has been completed.
However, the complainant may contact the public institution that has published his or
her personal data on its website, requesting that measures be taken to prevent
indexing, so that typing his or her name and surname does not redirect to that page.
With regard to URLs 1 and 4, the respondent replied within the deadline that it had
decided not to block URLs; however, during the processing of this procedure, the
respondent has proceeded to block these URLs; likewise, this Agency has verified that,
when searching for the name of the complainant in the Google search engine, these
URLs do not appear among the search results.
The purpose of these proceedings is to ensure that the guarantees and rights of those
affected are duly restored, and therefore, in the present case, irrespective of whether or
not Google refused to cancel the URLs, which would be a matter for analysis to
determine the relevance or otherwise of what was published, and given that the
complainant's name is not linked to the search results in the claimed URL, the claims
have been satisfied, the complainant's claims have been satisfied, and therefore the
present complaint in relation to URLs 1 and 4 should be upheld on formal grounds
without any further action being required on the part of the respondent.
having regard to the above-mentioned and other generally applicable precepts,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DISMISS the complaint lodged by Mr A.A.A. against GOOGLE LLC in relation
to URLs 2 and 3.
SECOND: TO UPHOLD on formal grounds the complaint lodged by Mr. A.A.A. against
GOOGLE LLC in relation to URLs 1 and 4, without requiring any further action on the
part of the respondent.
THIRD: NOTIFY this decision to D. A.A.A. and GOOGLE LLC.
In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be
made public once it has been notified to the interested parties.
Against this resolution, which puts an end to administrative proceedings in accordance
with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123
of the LPACAP, the interested parties may lodge an appeal for reconsideration with the
Director of the Spanish Data Protection Agency within a period of one month from the
day following notification of this resolution or directly lodge a contentious-administrative
appeal with the Administrative Chamber of the National High Court, in accordance with
the provisions of Article 25 and section 5 of the LOPDGDD.
12/12
C/ Jorge Juan, 6
28001 - Madrid
www.aepd.es
sedeagpd.gob.es
the fourth additional provision of Law 29/1998, of 13 July, regulating Contentious-
Administrative Jurisdiction, within two months from the day following notification of this
act, in accordance with the provisions of Article 46.1 of the aforementioned Law.
1035-150321
Mar España Martí
Director of the Spanish Data Protection Agency
  1. Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.