Article 17 GDPR: Difference between revisions

From GDPRhub
(10 intermediate revisions by 6 users not shown)
Line 6: Line 6:
|
|


<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto">
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Line 17: Line 17:
</div></div>
</div></div>


<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto">
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div>
<div class="mw-collapsible-content">
<div class="mw-collapsible-content">
Line 214: Line 214:


==Relevant Recitals==
==Relevant Recitals==
<span id="r65">
{{Recital/39 GDPR}}{{Recital/65 GDPR}}{{Recital/66 GDPR}}
<div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"><div>'''Recital 65:''' The right of rectification and the right to be forgotten - Article 17(1) and (3)</div>
 
<div class="mw-collapsible-content">
==Commentary on Article 17==
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.
The right to erasure, also commonly known as the right to be forgotten, constitutes a very important safeguard for the enforcement of the data protection principles and especially the principle of "data minimisation" as foreseen under [[Article 5 GDPR|Article 5(1)(c) GDPR]]. This right was derived from the interpretation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046 Articles 12(b) and 14(1)(a) of Directive 95/46/EC] by the CJEU in its landmark judgement [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12]. The GDPR is the first piece of legislation that explicitly mentions the right to erasure.   
</div></div><span id="r66"><div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;">
===(1) Legal Grounds===
<div>'''Recital 66:''' The right to be forgotten and the obligation to inform other controllers - Article 17(2)</div>
The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies. Oftentimes it requires a balancing exercise among the different interests at stake.   
<div class="mw-collapsible-content">
 
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.
[[Article 19 GDPR]] is read together with Article 17(2) GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as to the data subject that requested it. 
</div></div>
====(a) Data No Longer Necessary for the Initial Purposes====
==Commentary==
The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This legal ground reflects the general GDPR principle of "purpose limitation" as provided for in [[Article 5 GDPR|Article 5(1)(b) GDPR]]. In this case, if a data controller keeps processing the personal data, this processing would be unlawful according to [[Article 5 GDPR|Article 5(1)(b) GDPR]], except if the data controller had previously informed the data subject about the change of purpose according to [[Article 13 GDPR]] and [[Article 14 GDPR]].  
The right to erasure, also commonly known as the right to be forgotten, constitutes a very important safeguard for the enforcement of the data protection principles and especially the principle of "data minimisation" as foreseen under [[Article 5 GDPR#1c|Article 5(1)(c)]]. This right has been hugely disputed and it initially derived from the interpretation of Article 12(b) and Article 14(1)(a) of Directive 95/46/EC that the Court of Justice followed in its landmark judgement [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12]. GDPR is the first piece of legislation that makes explicit mention of the right to erasure.   
====(b) Withdrawal of Consent and No Other Legal Basis====
===(1) Legal grounds===
This ground can apply in cases where the legal basis for processing is consent as provided for in [[Article 6 GDPR|Article 6(1)(a) GDPR]] or in [[Article 9 GDPR|Article 9(2)(a) GDPR]] when special categories of personal data are processed. Further processing of personal data after withdrawal of consent according to [[Article 7 GDPR|Article 7(3) GDPR]] renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing, the latter controller may continue the processing operations and will not be obliged to erase this data.
The right to erasure does not constitute an absolute right granted to the data subjects. It can be exercised only if -at least- one of the following legal grounds applies and oftentimes it requires a balancing exercise among the different interests at stake.
 
[[Article 19 GDPR|Article 19]] is read together with [[Article 17 GDPR#2|Article 17(2)]], which foresees the communication of any erasure of personal data to each recipient to whom the personal data has been disclosed (unless this proves impossible or entails disproportionate effort) as well as to the data subject that requested it.  
====(c) Objection to Processing and No Overriding Legitimate Grounds====
====(a) Data no longer necessary for the initial purposes====
If the data subject objects to processing in accordance with [[Article 21 GDPR|Article 21(1) GDPR]] and there are no compelling, legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, then the data subject can request that the data is erased.  
The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they initially collected or otherwise processed. This legal ground reflects the general GDPR principle of "purpose limitation" as provided for in [[Article 5 GDPR#1b|Article 5(1)(b)]]. In this case, if a data controller keeps processing the personal data, then this processing would be unlawful according to [[Article 5 GDPR#1b|Article 5(1)(b)]], except if the data controller had previously informed the data subject about the change of purpose according to [[Article 13 GDPR]] and [[Article 14 GDPR]].  
 
====(b) Withdrawal of consent and no other legal basis====
When processing is implemented for direct marketing purposes, then, in accordance with [[Article 21 GDPR#2|Article 21(2) GDPR]], further processing will not be lawful (if there is no other legal basis for processing) and such objection can serve as a valid ground to exercise the right to erasure.
This ground can apply in cases where the legal basis for processing is consent as provided for in [[Article 6 GDPR#1a|Article 5(1)(a)]] or in [[Article 9 GDPR#2a|Article 9(2)(a)]] when sensitive categories of personal data are processed. Further processing of personal data after withdrawal of consent according to [[Article 7 GDPR#3|Article 7(3)]] renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing, such as the compliance of a legal obligation to which the controller is subject, then the latter may continue the processing operations and will not be obliged to erase this data.  
 
====(c) Objection to processing and no overriding legitimate grounds====
In all cases, the data controller bears the burden of demonstrating whether the overriding legitimate grounds exist.
If the data subject objects in accordance with [[Article 21 GDPR#1|Article 21(1)]] and there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or in accordance with [[Article 21 GDPR#2|Article 21(2)]] when processing is implemented for direct marketing purposes, then further processing will not be lawful (if there is no other legal basis for lawful processing) and such objection can serve as a proper ground for exercising the right to erasure. The data controller bears the burden to demonstrate whether the mentioned overriding legitimate grounds exist.
====(d) Unlawful Processing====
====(d) Unlawful processing====
Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in [[Article 6 GDPR]] or [[Article 9 GDPR]], or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2.  
The processing can be unlawful in many instances. The most prominent case would be the lack of any legal basis as prescribed in [[Article 6 GDPR|Article 6]] or [[Article 9 GDPR|Article 9]] or the violation of the obligations of the data controllers under the GDPR as provided for mainly in Chapters 4 and 2.  
====(e) Compliance with a Legal Obligation====
====(e) Compliance with a legal obligation====
Such legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level.
Such legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be established at national level.
====(f) Information Society Services to Children====
====(f) Information society services to children====
This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to [[Article 8 GDPR|Article 8(1) GDPR]], a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). Recital 65 GDPR gives a reason for this provision, which is that where the data subject has given his or her consent as a child and is not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The Recital offers the possibility of exercising this right even when the data subject is no longer a child. 
This provision is meant to ensure a more thorough protective scheme for the sensitive category of data subjects, children. According to [[Article 8 GDPR#1|Article 8(1)]], GDPR defines children below the age of 16 but Member States have the discretion to adopt law establishing a lower age limit for those purposes (the age of 13 is the minimum permitted age according to the GDPR). [[Article 17 GDPR#r65|Recital 65]] is quite insightful about the justification of this provision, which is that where the data subject has given his or her consent as a child is probably not fully aware of the risks involved in the processing operations and may want to remove such personal data, especially on the internet. The recital offers the possibility of exercising this right even when the data subject is no longer a child. Contrary to the above-mentioned provisions, here a potential existence of additional legal bases for processing is not crucial.
===(2) Obligation to Inform Other Controllers===
===(2) Obligation to inform other controllers===
Where a controller has made personal data public, this paragraph establishes an additional obligation to take reasonable steps to inform other controllers which are processing the data that a data subject has requested its erasure. Recital 66 GDPR makes clear that this addition is meant to "''strengthen the right to be forgotten in the online environment''" but it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12]. 
This paragraph establishes an additional obligation to the data controllers when they have made personal data public. [[Article 17 GDPR#r66|Recital 66]] makes clear that this addition is meant to "strengthen the right to be forgotten in the online environment" but it is not limited to this kind of processing operations. This paragraph is a clear reflection of the ruling in [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12].
 
This obligation has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps". However, there is also the view that the "reasonable steps" constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. The compliance of the data controllers with this obligation would be facilitated by documenting all the categories of personal data they have communicated to third parties as well as the third parties.  
This obligation has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps". However, there is also the view that the "reasonable steps" constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. Compliance by data controllers with this obligation would be facilitated by documenting all the categories of personal data that they have communicated to third parties.  
===(3) Exceptions===
===(3) Exceptions===
The exceptions here are not absolute, but a necessity test is required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. Interestingly, this yields that a data subject may exercise the right to erasure when the processing is no longer necessary or it is carried out at a level beyond of what is necessary. In any case, the data controllers bear the burden to demonstrate and prove the application of any exception they may rely on.   
The exceptions here are not absolute, but a necessity test is required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary or it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving the application of any exception that they may rely on.   
====(a) Freedom of expression and information====
====(a) Freedom of Expression and Information====
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. Results may vary from case to case, but it can be said that it is a common ground when the case is about a public figure or about the professional life of a data subject the argument for the freedom of expression and information usually prevails. [[Article 85 GDPR#1| Article 85(1)]] is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."  
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favor of freedom of expression and information usually prevails. [[Article 85 GDPR|Article 85(1) GDPR]] is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."  
====(b) Compliance with a legal obligation/ Public interest/ Official authority====
====(b) Compliance with a Legal Obligation, Public Interest, Official authority====
A common instance of the compliance with a legal obligation is compliance with national tax laws which may require the retention and processing of personal data.   
A common instance of such compliance with a legal obligation is compliance with national tax laws which may require the retention and processing of personal data.   
====(c) Public health====
====(c) Public Health====
====(d) Archiving/ scientific or historical research/ statistical purposes====
''You can help us fill this section!''
====(e) Legal claims====
====(d) Archiving, Scientific, Historical Research, Statistical Purposes====
''You can help us fill this section!''
====(e) Legal Claims====
''You can help us fill this section!''
 
==Decisions==
==Decisions==
→ You can find all related decisions in [[:Category:Article 17 GDPR]]
→ You can find all related decisions in [[:Category:Article 17 GDPR]]
==References==
==References==
<references />
<references />
[[Category:GDPR Articles]]

Revision as of 15:19, 17 August 2021

Article 17 - Right to erasure (‘right to be forgotten’)
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 17 - Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 65: Right to Erasure and Rectification
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Recital 66: Informing Controllers of Erasure
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

Commentary on Article 17

The right to erasure, also commonly known as the right to be forgotten, constitutes a very important safeguard for the enforcement of the data protection principles and especially the principle of "data minimisation" as foreseen under Article 5(1)(c) GDPR. This right was derived from the interpretation of Articles 12(b) and 14(1)(a) of Directive 95/46/EC by the CJEU in its landmark judgement Google Spain C-131/12. The GDPR is the first piece of legislation that explicitly mentions the right to erasure.

(1) Legal Grounds

The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies. Oftentimes it requires a balancing exercise among the different interests at stake.

Article 19 GDPR is read together with Article 17(2) GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as to the data subject that requested it.

(a) Data No Longer Necessary for the Initial Purposes

The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This legal ground reflects the general GDPR principle of "purpose limitation" as provided for in Article 5(1)(b) GDPR. In this case, if a data controller keeps processing the personal data, this processing would be unlawful according to Article 5(1)(b) GDPR, except if the data controller had previously informed the data subject about the change of purpose according to Article 13 GDPR and Article 14 GDPR.

(b) Withdrawal of Consent and No Other Legal Basis

This ground can apply in cases where the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR or in Article 9(2)(a) GDPR when special categories of personal data are processed. Further processing of personal data after withdrawal of consent according to Article 7(3) GDPR renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing, the latter controller may continue the processing operations and will not be obliged to erase this data.

(c) Objection to Processing and No Overriding Legitimate Grounds

If the data subject objects to processing in accordance with Article 21(1) GDPR and there are no compelling, legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, then the data subject can request that the data is erased.

When processing is implemented for direct marketing purposes, then, in accordance with Article 21(2) GDPR, further processing will not be lawful (if there is no other legal basis for processing) and such objection can serve as a valid ground to exercise the right to erasure.

In all cases, the data controller bears the burden of demonstrating whether the overriding legitimate grounds exist.

(d) Unlawful Processing

Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2.

(e) Compliance with a Legal Obligation

Such legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level.

(f) Information Society Services to Children

This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). Recital 65 GDPR gives a reason for this provision, which is that where the data subject has given his or her consent as a child and is not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The Recital offers the possibility of exercising this right even when the data subject is no longer a child.

(2) Obligation to Inform Other Controllers

Where a controller has made personal data public, this paragraph establishes an additional obligation to take reasonable steps to inform other controllers which are processing the data that a data subject has requested its erasure. Recital 66 GDPR makes clear that this addition is meant to "strengthen the right to be forgotten in the online environment" but it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in Google Spain C-131/12.

This obligation has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps". However, there is also the view that the "reasonable steps" constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. Compliance by data controllers with this obligation would be facilitated by documenting all the categories of personal data that they have communicated to third parties.

(3) Exceptions

The exceptions here are not absolute, but a necessity test is required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary or it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving the application of any exception that they may rely on.

(a) Freedom of Expression and Information

This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favor of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."

(b) Compliance with a Legal Obligation, Public Interest, Official authority

A common instance of such compliance with a legal obligation is compliance with national tax laws which may require the retention and processing of personal data.

(c) Public Health

You can help us fill this section!

(d) Archiving, Scientific, Historical Research, Statistical Purposes

You can help us fill this section!

(e) Legal Claims

You can help us fill this section!

Decisions

→ You can find all related decisions in Category:Article 17 GDPR

References