AEPD (Spain) - EXP202202000

From GDPRhub
Revision as of 10:26, 7 September 2022 by Ea (talk | contribs)
AEPD - PD-00081-2022
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 17 GDPR
Article 17(3)(b) GDPR
Type: Complaint
Outcome: Rejected
Started: 02.02.2022
Decided: 16.08.2022
Published: 16.08.2022
Fine: n/a
Parties: Google LLC
National Case Number/Name: PD-00081-2022
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: PL

The Spanish DPA held that Google LLC had a legal obligation to preserve search results related to publications from a competition procedure and rightfully rejected a data subject's request to de-index the search results relating to their name.

English Summary

Facts

The data subject exercised their right to erasure by requesting Google LLC (controller) the de-indexation of 4 URLs that contained their personal data. The controller denied this twice per email. The data subject then filed a complaint with the Spanish DPA.

The DPA notified the controller's DPO of the complaint, who indicated that it previously denied the request twice. However, during the investigation, the controller reconsidered and removed 2 of the 4 URLs. The two remaining URLs related to the State General Administrative Body competition. A provisional list of candidates and an assessment were published in relation to the selection procedure.

The controller stated that the two remaining URLs refer to information that is relevant and of public interest related to the professional life of the data subject. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information should therefore be accessible without restrictions.

The controller argued that the CJEU has declared that blocking search results may have an impact on the legitimate interest of users potentially interested in having access to the information in question, and that for this reason only search results should be blocked, after the appropriate weighing between the different rights at stake, taking into account the nature of the information in question, the sensitive nature of the private life of the affected person and the interest of the public in having this information, which may vary, for example, depending on the role that the interested party plays in public life. The right to erasure, also known as the right to be forgotten is a right that finds its limit in freedom of information. It is a right that cannot imply a retrospective censorship of the information correctly published at the time, and that does not allow the construction of a past tailored to the people mentioned in the information accessible on the Web.

The AEPD was not satisfied that the request of the data subject had been properly addressed, therefore it admitted the complaint and provided controller with 15 days to present all pertinent allegations. In response, controller confirmed its previous position and added that in view of the decision to make the information in question accessible without restrictions, it can be concluded that the authorities (the publisher website) have determined that their public interest must prevail over the right to data protection of the complaining party.

Holding

In reaching its decision, the AEPD followed the Mario Costeja González ruling to determine that:

- The operator of the search engine is the data controller in determining the purposes and means of its activity.

- Data subjects have the possibility of exercising the right of erasure before the Internet search engine without having to contact the owner of the website who published the information in dispute.

- The balancing assessment to be conducted when several competing rights are at play, i.e. freedom of expression, right to privacy, and public interest. The AEPD stated that in order to assess the public relevance of the matter, it must be analysed whether the published information continues to be of general interest due to the time that has elapsed.

Finally, the AEPD moved on to considered whether or not the request to disassociate the data subject's name from the URLs in question should be fulfilled. It was confirmed that after carrying out a search based on the name of the complaining party, a list of results is accessed in which the data subject's information and personal data appear. This information refers to publications about the data subject's professional life. That is, participation in the public selective process.

The AEPD considered that this processing activity falls under the exception established in Article 17(3)(b) GDPR which indicates that the Right to Erasure shall not apply to the extent that processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In this case, Law 39/2015, of October 1, on the Common Administrative Procedure of Administrations, provides that administrative acts will be published when so established by the regulations governing each procedure or when advised by reasons of public interest by a competent body.

Likewise, section 7 of the LOPDGDD determines that " Whenever is necessary the publication of an act that is n is necessary to contain personal data of the affected party, it will be identified by the name and surname of the affected party, adding four random numerical figures of the national identity document, foreign identity number, passport or equivalent document", such publication of personal data does not depend on the will of the interested party. In this case, the AEPD agreed that the remaining URLs complied with these specifications.

Consequently, the AEPD dismissed the data subject's claim with respect to the two remaining URLs.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

(June 28, 2022). The director of the Spanish Agency for Data Protection (AEPD), Mar España Martí, and the president of UNICEF Spain, Gustavo Suárez Pertierra, have signed a General Protocol of Action for the development of actions aimed at the protection of...
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202202000&oldid=27988"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki