AEPD (Spain) - EXP202202000
|AEPD - PD-00081-2022
|Article 17 GDPR
Article 17(3)(b) GDPR
|National Case Number/Name:
|European Case Law Identifier:
|AEPD (in ES)
The Spanish DPA held that Google LLC was under a legal obligation to preserve search results relating to an employee selection process at a public body and rightfully rejected a data subject's request to de-index the search results relating to their name.
The data subject exercised their right to erasure by requesting Google LLC (controller) to de-index search results of four URLs that contained their personal data. The controller rejected this request twice. The data subject then filed a complaint with the Spanish DPA. During the investigation, the controller reconsidered and removed two of the four URLs. The two remaining URLs concerned an employee selection process at the State General Administrative Body. A provisional list of candidates and assessments relating to the selection process were published on the body's website.
The controller stated that the two remaining URLs referred to information that was of public interest. It argued that institutional websites play an important role in keeping citizens informed on matters of interest to them. The information there should therefore be accessible without restrictions. The controller further argued that the CJEU had held that search results should only be de-indexed after a balancing test of the rights at stake, namely the right to be forgotten and freedom of information. The right to be forgotten cannot imply a retrospective censorship of information correctly published at the time.
The DPA noted that under Article 17(3)(b) GDPR, personal data shall not be erased if their processing is necessary to comply with a legal obligation imposed by Union or Member State law. Pursuant to Spanish Law 39/2015 on administrative procedures, administrative acts shall be published (1) if this is laid down in the rules of procedure or (2) when the competent body deems it appropriate for reasons of public interest.
The DPA held that the accessibility of publications on the website of a public institution guarantees legal certainty and administrative transparency. Therefore, it may be in the public interest to not de-index the URLs. Thus, Google LLC could reject the de-indexing requests on this basis.
The DPA consequently dismissed the data subject's claim with respect to the two remaining URLs.
Share your comments here!
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
3/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es The aforementioned resolution granted the respondent entity a hearing so that it could present the allegations it considered appropriate within fifteen working days. In summary, the entity made the following allegations: The respondent reiterates the same allegations submitted on 29 March 2022 and adds that, with regard to the fact that this Agency has been informed that, through the publication of a Resolution, the complainant has passed the opposition, it should be pointed out that, at the date of the allegations, this resolution has not become final and can be appealed, and furthermore, it highlights the timeliness and accuracy of the information. The public relevance of the information in question explains why the authorities have published it at the headquarters of the National Statistics Institute, in accordance with the legally established procedure, so that it is accessible without restriction and can also be located through search engines such as Google. Institutional websites play an extremely important role in keeping society informed of matters that the public authorities consider to be of interest to citizens. In view of the decision to make the information in question accessible without restriction, it can be concluded that the authorities have determined that their public interest must prevail over the complainant's right to data protection. FOURTH: Having examined the allegations presented by the respondent, they are transferred to the claimant so that, within a period of fifteen working days, it may present any allegations it deems appropriate: The complainant states that he is not requesting that the web pages be removed, but that they should not be accessed by entering his name, that he is not a public figure or a celebrity, and that therefore there is no interest for third parties. FIFTH: Once the allegations presented by the claimant have been examined, they are transferred to the respondent so that, within fifteen working days, it may present the allegations it deems appropriate: The Respondent reiterates the same allegations submitted on 9 May 2022. THE LEGAL BASIS FIRST: The Director of the Spanish Data Protection Agency is competent to resolve, in accordance with the provisions of paragraph 2 of Article 56 in relation to paragraph 1 f) of Article 57, both of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, RGPD); and Article 47 of the LOPDGDDD. SECOND: In accordance with the provisions of Article 55 of the RGPD, the Spanish Data Protection Agency is competent to carry out the functions that 4/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es Article 57, including enforcing the Regulation and promoting the awareness of controllers and processors of their obligations, as well as dealing with complaints lodged by a data subject and investigating the grounds for such complaints. Article 31 of the GDPR establishes the obligation of controllers and processors to cooperate with the supervisory authority on request in the performance of its tasks. In the event that they have appointed a data protection officer, Article 39 of the GDPR confers on the latter the task of cooperating with the supervisory authority. Similarly, the domestic legal system, in Article 65.4 of the LOPDGDD, has provided for a mechanism prior to the admission for processing of claims made to the Spanish Data Protection Agency, which consists of transferring them to the data protection officers designated by the data controllers or data processors, for the purposes provided in Article 37 of the aforementioned regulation, or to the latter when they have not been designated, so that they may proceed to analyse the claims and respond to them within a period of one month. In accordance with these regulations, prior to the admission for processing of the complaint that gave rise to this procedure, the complaint was transferred to the entity responsible so that it could proceed with its analysis, provide this Agency with a response within a period of one month and accredit that it had provided the claimant with the appropriate response, in the event of the exercise of the rights regulated in Articles 15 to 22 of the GDPR. The result of this transfer did not allow the claims of the complainant to be considered satisfied. Consequently, on 12 April 2022, for the purposes set out in Article 64.2 of the LOPDGDD, the Director of the Spanish Data Protection Agency agreed to admit the complaint submitted for processing. Said agreement to admit for processing determines the opening of the present procedure for failure to attend to a request to exercise the rights established in Articles 15 to 22 of the RGPD, regulated in Article 64.1 of the LOPDGDD, according to which: "Where the procedure relates exclusively to the failure to deal with a request for the exercise of the rights laid down in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an agreement on admissibility, which shall be adopted in accordance with the following Article. In this case, the time limit for resolving the procedure shall be six months from the date on which the claimant was notified of the decision to admit the claim for processing. Once this period has elapsed, the interested party may consider his or her claim to have been upheld. It is not considered appropriate to determine administrative responsibilities in the framework of a sanctioning procedure, the exceptional nature of which implies that, whenever possible, alternative mechanisms that are covered by the regulations in force should prevail. 7/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es "(...) a data processing (...) carried out (...) by the operator of a search engine) carried out by the operator of a search engine may significantly affect the fundamental rights to respect for private life and the protection of personal data where the search carried out using that search engine is carried out on the basis of the name of a natural person, since such processing enables any internet user to obtain, by means of the list of results, a structured view of the information relating to that person which can be found on the internet, potentially concerning a multitude of aspects of that person's private life, which, without that engine, would not have been interconnected or could only with difficulty have been interconnected, and which thus enables him to establish a more or less detailed profile of the person concerned. Moreover, the effect of the interference with those rights of the data subject is multiplied by the important role played by the internet and search engines in modern society, which make the information contained in such a list of results ubiquitous (see, to that effect, Joined Cases C-509/09 and C- 161/10 eDate Advertising and Others, EU:C2011:685, paragraph 45). "The Court holds that the removal of links from the list of results on the basis of the name of the natural person concerned by the dissemination of the news item could have an impact on the legitimate interest of internet users potentially interested in having access to the information in question, and that it is therefore necessary to strike a fair balance between that interest and the fundamental right of the person concerned under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union". "(...) in order to comply with the rights provided for in those provisions, the operator of a search engine is obliged, provided that the conditions laid down therein are actually met, to remove from the list of results obtained following a search based on the name of a person links to websites published by third parties and containing information relating to that person, even if that name or that information is not previously or simultaneously removed from those websites and, where appropriate, even if the publication on those websites is in itself lawful". Consequently, the processing of personal data by the operator of a search engine makes it possible to obtain from a 'name' a list of results providing information about an individual which may concern his private sphere. Once the data subject has submitted his request for deletion of his personal data to the search engine, the search engine must examine it and, if necessary, delete the specific links from the list of results, without having to contact the website operator before or at the same time. It also follows that the conflicting rights and interests must be weighed in each specific case in order to determine which right prevails. For the purposes of carrying out the task of weighing up, it is worth recalling the Supreme Court's judgment, number 545/2015, of 15 October 2015, which states that "the so-called "right to digital oblivion", which is a specification in this field of the rights derived from the quality requirements of the processing of personal data, does not protect everyone from constructing a past to suit themselves, forcing publishers to 10/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es by means of their name and surname, adding four random numerical digits of the national identity card, foreigner's identity number, passport or equivalent document", such publication of personal data does not depend on the will of the data subject, in this case it is verified that in URLs 2 and 3, it complies with this provision. The accessibility of publications on the website of a public institution has as its functions the guarantee of legal certainty, control of the activity of public authorities and administrative transparency. Therefore, it is not appropriate to de-index URLs 2 and 3, given that there may be a legitimate or collective interest, given that, otherwise, the legal order would be breached and the public interest would be harmed, likewise, this Agency has verified that in said URLs, the full DNI of the claimant is not accessed, thus complying the public institution with the seventh additional Provision of the LOPDGDDD. Consequently, there is no interference with the fundamental right to privacy of the complainant. In accordance with the Judgment of the Court of Justice of the European Union at paragraph 99: "Article 12(b) and Article 14(a) of Directive 95/46 must be interpreted as meaning that, when analysing the conditions for the application of those provisions, it is necessary to examine, in particular, whether the data subject has a right to have the information in question relating to him no longer linked to his name by a list of results obtained following a search carried out on the basis of his name, without the assessment of the existence of such a right presupposing that the inclusion of the information in question in a list of results obtained following a search carried out on the basis of his name is not necessary, in the present situation, linked to his name by a list of results obtained following a search carried out on the basis of his name, without the assessment of the existence of such a right presupposing that the inclusion of the information in question in the list of results would cause prejudice to the data subject. Since the data subject may, having regard to the rights conferred on him by Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public by inclusion in such a list of results, those rights prevail, in principle, not only over the economic interest of the operator of the search engine, but also over the interest of that public in having access to that information in a search relating to that person's name. However, that would not be the case if it appeared, for specific reasons, such as the role played by the person concerned in public life, that the interference with his fundamental rights was justified by the overriding interest of that public in having, as a result of that inclusion, access to the information in question". That judgment also states in paragraph 93: 'even an initially lawful processing of accurate data may, over time, become incompatible with that directive where those data are no longer necessary in relation to the purposes for which they were collected or processed. This is the case, in particular, where they are inadequate, irrelevant or no longer relevant or are excessive in relation to those purposes and the time which has elapsed". From an analysis of the legal requirements, we are faced with documents published on the website of a public institution, which, in order to maintain 11/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es informed society and to make matters managed by the institution as widely known as possible, it uses search engines. In this case, it has not been accredited that the data and information contained in the published documentation is inaccurate or obsolete, and therefore the complaint in relation to URLs 2 and 3 should be rejected as there is no evidence that the selection process has been completed. However, the complainant may contact the public institution that has published his or her personal data on its website, requesting that measures be taken to prevent indexing, so that typing his or her name and surname does not redirect to that page. With regard to URLs 1 and 4, the respondent replied within the deadline that it had decided not to block URLs; however, during the processing of this procedure, the respondent has proceeded to block these URLs; likewise, this Agency has verified that, when searching for the name of the complainant in the Google search engine, these URLs do not appear among the search results. The purpose of these proceedings is to ensure that the guarantees and rights of those affected are duly restored, and therefore, in the present case, irrespective of whether or not Google refused to cancel the URLs, which would be a matter for analysis to determine the relevance or otherwise of what was published, and given that the complainant's name is not linked to the search results in the claimed URL, the claims have been satisfied, the complainant's claims have been satisfied, and therefore the present complaint in relation to URLs 1 and 4 should be upheld on formal grounds without any further action being required on the part of the respondent. having regard to the above-mentioned and other generally applicable precepts, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DISMISS the complaint lodged by Mr A.A.A. against GOOGLE LLC in relation to URLs 2 and 3. SECOND: TO UPHOLD on formal grounds the complaint lodged by Mr. A.A.A. against GOOGLE LLC in relation to URLs 1 and 4, without requiring any further action on the part of the respondent. THIRD: NOTIFY this decision to D. A.A.A. and GOOGLE LLC. In accordance with the provisions of Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to administrative proceedings in accordance with Article 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, the interested parties may lodge an appeal for reconsideration with the Director of the Spanish Data Protection Agency within a period of one month from the day following notification of this resolution or directly lodge a contentious-administrative appeal with the Administrative Chamber of the National High Court, in accordance with the provisions of Article 25 and section 5 of the LOPDGDD. 12/12 C/ Jorge Juan, 6 28001 - Madrid www.aepd.es sedeagpd.gob.es the fourth additional provision of Law 29/1998, of 13 July, regulating Contentious- Administrative Jurisdiction, within two months from the day following notification of this act, in accordance with the provisions of Article 46.1 of the aforementioned Law. 1035-150321 Mar España Martí Director of the Spanish Data Protection Agency
- Law 39/2015, of 1 October, on the Common Administrative Procedure of Administrations.