Article 17 GDPR: Difference between revisions

From GDPRhub
(style consistency)
Line 218: Line 218:
{{Recital/39 GDPR}}{{Recital/65 GDPR}}{{Recital/66 GDPR}}
{{Recital/39 GDPR}}{{Recital/65 GDPR}}{{Recital/66 GDPR}}


==Commentary on Article 17==
==Commentary==
The right to erasure, also commonly known as the right to be forgotten, constitutes a very important safeguard for the enforcement of the data protection principles and especially the principle of "data minimisation" as foreseen under [[Article 5 GDPR|Article 5(1)(c) GDPR]]. This right was derived from the interpretation of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046 Articles 12(b) and 14(1)(a) of Directive 95/46/EC] by the CJEU in its landmark judgement [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12]. The GDPR is the first piece of legislation that explicitly mentions the right to erasure.  
The right to erasure, which in its current form in the GDPR has come to also be known as the “right to be forgotten”, is regarded as one of the particular novelties introduced by this Regulation. More concretely, it is a further elaboration of the right to erasure contained in Articles 12(b), 12(c) and 14(a) of the Data Protection Directive 95/46/EC<ref>Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.</ref> which preceded it. Its development is a clear example of the modernisation of European data protection rules in order to keep up with the times. As noted by ''Kranenborg'', its added prominence in the GDPR ''“recognises its increased importance in today’s society, in which personal data is generated, made public and shared on a massive scale, as an instrument for the data subject to retain a certain control over personal data.”''<ref>''Kranenborg'' in Kuner Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 17 GDPR, p. 477 (Oxford University Press 2020).</ref>   
 
A major precedent which informed the GDPR’s right to erasure was the interpretation of Articles 12(b) and 14(1)(a) of Directive 95/46/EC by the CJEU in its landmark judgement ''Google Spain''.<ref>CJEU, Case C-131/12, ''Google Spain,'' 13 May 2014 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4040563 here]).</ref> However, it cannot be said that the “right to be forgotten” per se derived from this decision. Instead, what was established was the “right to request delisting”, because what was ordered by the court in this case was the removal of search results linking a document to a data subject’s name, while the information itself (an article in a Spanish newspaper) remained online and publicly accessible. Specifically, the court ruled that data subjects can request search engines to delist certain URLs from search results if the information online is ''“inadequate, irrelevant or no longer relevant, or excessive.”''<ref>CJEU, Case C-131/12, ''Google Spain,'' 13 May 2014, margin numbers 93-94 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4040563 here]).</ref>
 
As a direct result of this case, in 2020, the EDPB adopted the “Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR”,<ref>EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0) (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf here]).</ref> to specify the content and scope of the “right to request delisting”. According to the Guidelines, this right ''“implies two rights (Right to Object and Right to Erasure GDPR). Indeed, the application of Article 21 is expressly foreseen as the third ground for the Right to erasure. As a result, both Article 17 and Article 21 GDPR can serve as a legal basis for delisting requests. […] There are some considerations when applying Article 17 GDPR in respect of a search engine provider’s data processing. In this regard, it is necessary to state that the processing of personal data carried out in the context of the activity of the search engine provider must be distinguished from processing that is carried out by the publishers of the third-party websites such as media outlets that provide online newspaper content. If a data subject obtains the delisting of a particular content, this will result in the deletion of that specific content from the list of search results concerning the data subject when the search is, as a main rule, based on his or her name. This content will however still be available using other search criteria.”''<ref>EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 5 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf here]).</ref>
 
While the right to erasure is a well-established data protection right, the “right to request delisting” has proved to be more controversial due to freedom of expression and general human rights concerns amongst many civil society groups. For example, Access Now, in their official position regarding this topic, has stated that, although it ''“supports the right to erasure, we cannot support establishing a right to de-list or a right to obscurity. If it is misinterpreted or implemented the wrong way — particularly in the absence of a comprehensive data protection law and with inadequate transparency — it poses a significant threat to human rights. It must under no circumstances be misinterpreted or misapplied to enable the removal of online content, including from news media or social media.”''<ref>Access Now, ‘Position Paper: Understanding The “Right To Be Forgotten” Globally, September 2016 (accessed 22 February 2022) (available [https://www.accessnow.org/cms/assets/uploads/2017/09/RTBF_Sep_2016.pdf here]).</ref>
 
Another notable case in which the CJEU considered the right of erasure was in ''Manni'',<ref>CJEU, Case C-398/15, ''Manni,'' 9 March 2017 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=188750&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4056877 here]).</ref> in which the Court established that this right did not necessarily require the erasure of personal data from a public companies register. Although the CJEU conceded that in exceptional cases this erasure could take place, it did not go as far as to mandate a specific timeframe for the retention of this data.<ref>CJEU, Case C-398/15, ''Manni,'' 9 March 2017, margin numbers 60, 63 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=188750&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4056877 here]).</ref>
 
Some scholars have referred to the right of erasure as the most ambiguous right within the GDPR, noting that ''“whether any item of data can ever be fully or properly erased is very much open to question''.”<ref>''Kelleher, Murray'', EU Data Protection Law, p. 208 (Bloomsbury Professional 2018).</ref> However, it must be said that constitutes a very important safeguard for the enforcement of the data protection principles,especially the principle of "data minimisation" as foreseen under Article 5(1)(c) GDPR.
===(1) Legal Grounds===
===(1) Legal Grounds===
The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies. Oftentimes it requires a balancing exercise among the different interests at stake.     
The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies, which in turn gives rise to a correlated obligation on the controller. As ''Voigt and von dem Bussche'' note, “''the right of the data subject shall only help to enforce the controller’s obligation to erase personal data that would exist anyway under any of the grounds of Art. 17 Sec. 1 GDPR.''”<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).</ref> Often times, it also requires a balancing exercise among the different interests at stake.     


[[Article 19 GDPR]] is read together with Article 17(2) GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as to the data subject that requested it. 
==== (a) Data No Longer Necessary for the Initial Purposes ====
====(a) Data No Longer Necessary for the Initial Purposes====
The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This legal ground reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR. In this case, if a data controller continues to process the personal data, this processing would beat odds with these provisions, unless the data controller had previously informed the data subject about the change of purpose according to Article 13(3) GDPR and Article 14(4) GDPR, or if it ''“is necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose.”''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.</ref> In this sense, Art 6(4) GDPR establishes that, unless the further processing is based on consent or laid out by law, in order for the controller to determine whether processing for another purpose is compatible with the purpose for which the personal data was initially collected, certain elements have to be taken into consideration (''inter alia'', the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards).  
The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This legal ground reflects the general GDPR principle of "purpose limitation" as provided for in [[Article 5 GDPR|Article 5(1)(b) GDPR]]. In this case, if a data controller keeps processing the personal data, this processing would be unlawful according to [[Article 5 GDPR|Article 5(1)(b) GDPR]], except if the data controller had previously informed the data subject about the change of purpose according to [[Article 13 GDPR]] and [[Article 14 GDPR]].  
====(b) Withdrawal of Consent and No Other Legal Basis====
====(b) Withdrawal of Consent and No Other Legal Basis====
This ground can apply in cases where the legal basis for processing is consent as provided for in [[Article 6 GDPR|Article 6(1)(a) GDPR]] or in [[Article 9 GDPR|Article 9(2)(a) GDPR]] when special categories of personal data are processed. Further processing of personal data after withdrawal of consent according to [[Article 7 GDPR|Article 7(3) GDPR]] renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing, the latter controller may continue the processing operations and will not be obliged to erase this data.
This ground can apply in cases where the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR,or in Article 9(2)(a) GDPR when special categories of personal data are processed. According to Article 7(3) GDPR, the data subject may withdraw their consent at any time, and it must be as easy to withdraw that consent as it was to give it. Further processing of personal data after withdrawal of consent renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing of the personal data, or a part of it the controller may continue the processing operations and will not be obliged to erase this data.


====(c) Objection to Processing and No Overriding Legitimate Grounds====
====(c) Objection to Processing and No Overriding Legitimate Grounds====
If the data subject objects to processing in accordance with [[Article 21 GDPR|Article 21(1) GDPR]]  and there are no compelling, legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, then the data subject can request that the data is erased.  
According to this provision, a data subject may request an erasure when they have objected to processing in accordance with Article 21(1) GDPR, which establishes the right to objection based on the data subject’s particular situation, when processing is based on the legal bases in Article 6(1)(e) and (f) GDPR (processing is necessary for the performance of a task in the public interest or legitimate interest of the controller), including profiling based on these provisions. In this case, the controller must grant the data subject’s right to erasure when there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. 
 
In all cases, the data controller bears the burden of demonstrating whether the overriding legitimate grounds exist. However, the data subject must demonstrate the circumstances that have led to the modified interests at stake. Furthermore, as ''Voigt and von dem Bussche'' note, the controller would have ''“the right to revaluate the situation as its own interests for processing might still prevail and an erasure might not have to take place. This evaluation might require some time, and thus the data subject could exercise its right to restriction of processing in the meantime.''”<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017).</ref> When processing is implemented for direct marketing purposes, then, in accordance with Article 21(2) GDPR, further processing will not be lawful (if there is no other legal basis for processing) and a simple objection by the data subject will be enough to exercise the right to erasure.  


When processing is implemented for direct marketing purposes, then, in accordance with [[Article 21 GDPR#2|Article 21(2) GDPR]], further processing will not be lawful (if there is no other legal basis for processing) and such objection can serve as a valid ground to exercise the right to erasure.  
Direct marketing should be interpreted in a broad sense, and as ''Carey'' points out, this right ''“will extend both to records of marketing communications sent to data subjects and also to any underlying personal data that are held for direct marketing purposes, including personal data used for profiling purposes (i.e. to identify a subject as a marketing target). As direct marketing is considered to include any targeted communications that promote the 'aims and ideals' of an organization, data held for the purposes of political canvassing and for charitable fundraising purposes may therefore be caught by the right of erasure.”''<ref>''Carey'', Data Protection: A Practical Guide to UK and EU Law, p. 144 (Oxford University Press, 2018, 5th Edition).</ref>


In all cases, the data controller bears the burden of demonstrating whether the overriding legitimate grounds exist.
====(d) Unlawful Processing====
====(d) Unlawful Processing====
Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in [[Article 6 GDPR]] or [[Article 9 GDPR]], or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2.  
Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2 and 4. As ''Voigt and von dem Bussche'' observe, ''“this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref>
====(e) Compliance with a Legal Obligation====
====(e) Compliance with a Legal Obligation====
Such legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level.  
This provision establishes a legal basis analogous to the legal basis for processing under Article 6(1)(c) GDPR. It contains opening clause by which legal obligations are left to the discretion of Member States Hence, additional cases which would justify the erasure of data can be introduced at a national level.  
====(f) Information Society Services to Children====
====(f) Information Society Services to Children====
This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to [[Article 8 GDPR|Article 8(1) GDPR]], a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). Recital 65 GDPR gives a reason for this provision, which is that where the data subject has given his or her consent as a child and is not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The Recital offers the possibility of exercising this right even when the data subject is no longer a child.   
This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). According to Article 4(25) GDPR ''“‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.”'' Recital 65 GDPR establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child. According to ''Voigt and von dem Bussche'', ''“it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether.''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).</ref>  
===(2) Obligation to Inform Other Controllers===
===(2) Obligation to Inform Other Controllers===
Where a controller has made personal data public, this paragraph establishes an additional obligation to take reasonable steps to inform other controllers which are processing the data that a data subject has requested its erasure. Recital 66 GDPR makes clear that this addition is meant to "''strengthen the right to be forgotten in the online environment''" but it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:62012CJ0131&from=EN Google Spain C-131/12].
This paragraph establishes an additional obligation for controllers who have made personal data public, to take reasonable steps to inform other controllers (including employees of the controller), processors, and third parties, which are processing this data, that its erasure has been requested by a data subject. . Article 17(2) GDPR is read together with Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in ''Google Spain.''<ref>CJEU, Case C-131/12, ''Google Spain,'' 13 May 2014 (available [https://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=4064266 here]).</ref> 
 
''Rucker and Kugler'' note that to be able to comply with the requirements set out in Article 19 GDPR, ''“controllers should document and keep track of the organisations they transfer personal data to and the categories of personal data transferred.''”<ref>''Schrey,'' in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 142 (C.H. Beck 2018).</ref> In this regard, ''Voigt and von dem Bussche'' suggest the implementation of technical and organisational measures to be able to record the recipients of personal data, including records of processing activities, as well as Data Protection Management Systems where feasible.<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).</ref>
 
This obligation in general has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of ''"reasonable steps"'', although there is also the view that the constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. In fact, in Kranenborg’s opinion, ''“this obligation has actually been softened in comparison with the Commission’s initial proposal, according to which the controller was ‘considered responsible’ for a publication made by a third party if they had ‘authorised’ it, and had to take ‘all’ reasonable steps to inform those third parties of the erasure request.”''<ref>''Kranenborg'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 483 (Oxford University Press 2020).</ref> It is not entirely clear whether the reasonableness of these measures depends on the controller’s subjective situation, or whether objective criteria should be used. According to ''Voigt and von dem Bussche, “the former should be the case, as otherwise the obligation would be too much of a burden for micro, small and medium-sized enterprises whose interests have received special consideration under the GDPR.”''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).</ref>
 
Furthermore, as ''Kelleher and Murray'' highlight, ''“it seems that this amounts only to an obligation to inform other controllers that such links should be erased, the GDPR does not provide that controllers have to require such erasure and does not provide a specific mechanism by which controllers could require such erasure.”''<ref>''Kelleher, Murray'', EU Data Protection Law, p. 214 (Bloomsbury Professional 2018).</ref> Additionally, it is also important to keep in mind that third parties might be in a different position when processing the data which they have obtained through the controller. In this sense ''Carey'' notes, that ''“it is also entirely possible that a third party controller that has obtained personal data as a result of their having been made public by another controller will process those data on the basis of processing grounds that do not allow for erasure requests, or will be able to rely on exemptions to the right of erasure that are not available to the controller that made the data public.”''<ref>''Carey'', Data Protection: A Practical Guide to UK and EU Law, p. 146 (Oxford University Press 2018. 5th Edition).</ref>
 
Additionally, it is important to mention that according to the EDPB, this obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference. In addition, ''"it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives.”''<ref>EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 6 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_201905_rtbfsearchengines_afterpublicconsultation_en.pdf here]).</ref> Moreover, according to the Board, it is planning to issue specific Guidelines on Article 7(2) GDPR in the future.


This obligation has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps". However, there is also the view that the "reasonable steps" constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. Compliance by data controllers with this obligation would be facilitated by documenting all the categories of personal data that they have communicated to third parties.
===(3) Exceptions===
===(3) Exceptions===
The exceptions here are not absolute, but a necessity test is required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary or it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving the application of any exception that they may rely on.   
The exceptions here are not absolute, and a necessity test will be required. The refusal of the erasure is only allowed ''"to the extent that processing is necessary"'' for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable.   
====(a) Freedom of Expression and Information====
====(a) Freedom of Expression and Information====
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favor of freedom of expression and information usually prevails. [[Article 85 GDPR|Article 85(1) GDPR]] is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."  
This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favour of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which ''"Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."''
 
It is important to take into consideration that according to Recital 153 GDPR, ''“in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.”'' According to ''Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”'', as well as any individual.<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).</ref> ''Voigt and von dem Bussche'' also note that ''“under this exception, an erasure of opinions should be excluded. However, the distinction between personal data and opinion can be difficult where an opinion is based on personal data. In such a case, it needs to be balanced out whether the underlying personal data is still necessary for forming an opinion. The older the personal data is, the more improbable is their necessity for forming an opinion.”''<ref>''Voigt, von dem Bussche'', The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).</ref>
 
====(b) Compliance with a Legal Obligation, Public Interest, Official authority====
====(b) Compliance with a Legal Obligation, Public Interest, Official authority====
A common instance of such compliance with a legal obligation is compliance with national tax laws which may require the retention and processing of personal data.   
These situations refer to the grounds of processing contained in Article 6(1)(c) and (e). A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data.   
====(c) Public Health====
====(c) Public Health====
''You can help us fill this section!''
This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data.
 
Specifically, Article 9(2)(h) GDPR which refers to a broad exception based on processing necessity for the provision of health and social care. According to ''Georgieva and Kuner'', the latter should be interpreted broadly to include assistance granted by social security authorities.<ref>''Georgieva, Kuner,'' in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 380 (Oxford University Press 2020).</ref> Besides health and social care services, it also includes other related purposes, such as the assessment of employee working capacities or the management of health or social care systems. For this exception to apply, the sensitive data must be processed by a professional subject to the obligation of professional secrecy, as established by an explicit complementary provision in Article 9(3) GDPR, also referenced in this section.
 
The other provision mentioned is Article 9(2)(i) GDPR, which is an exception for processing based on public interest considerations in the area of public health. It gives some examples, such as protection against serious cross-border threats, or ensuring adequate standards for health products and devices.
 
According to Recital 54 GDPR, the interpretation of “public health” corresponds to Regulation (EC) No 1338/2008,[Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (available here).] which includes ''“namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”''
 
====(d) Archiving, Scientific, Historical Research, Statistical Purposes====
====(d) Archiving, Scientific, Historical Research, Statistical Purposes====
''You can help us fill this section!''
This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them.
====(e) Legal Claims====
====(e) Legal Claims====
''You can help us fill this section!''
This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.


==Decisions==
==Decisions==

Revision as of 13:15, 25 April 2022

Article 17 - Right to erasure (‘right to be forgotten’)
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 17 - Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 65: Right to Erasure and Rectification
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Recital 66: Informing Controllers of Erasure
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

Commentary

The right to erasure, which in its current form in the GDPR has come to also be known as the “right to be forgotten”, is regarded as one of the particular novelties introduced by this Regulation. More concretely, it is a further elaboration of the right to erasure contained in Articles 12(b), 12(c) and 14(a) of the Data Protection Directive 95/46/EC[1] which preceded it. Its development is a clear example of the modernisation of European data protection rules in order to keep up with the times. As noted by Kranenborg, its added prominence in the GDPR “recognises its increased importance in today’s society, in which personal data is generated, made public and shared on a massive scale, as an instrument for the data subject to retain a certain control over personal data.”[2]

A major precedent which informed the GDPR’s right to erasure was the interpretation of Articles 12(b) and 14(1)(a) of Directive 95/46/EC by the CJEU in its landmark judgement Google Spain.[3] However, it cannot be said that the “right to be forgotten” per se derived from this decision. Instead, what was established was the “right to request delisting”, because what was ordered by the court in this case was the removal of search results linking a document to a data subject’s name, while the information itself (an article in a Spanish newspaper) remained online and publicly accessible. Specifically, the court ruled that data subjects can request search engines to delist certain URLs from search results if the information online is “inadequate, irrelevant or no longer relevant, or excessive.”[4]

As a direct result of this case, in 2020, the EDPB adopted the “Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR”,[5] to specify the content and scope of the “right to request delisting”. According to the Guidelines, this right “implies two rights (Right to Object and Right to Erasure GDPR). Indeed, the application of Article 21 is expressly foreseen as the third ground for the Right to erasure. As a result, both Article 17 and Article 21 GDPR can serve as a legal basis for delisting requests. […] There are some considerations when applying Article 17 GDPR in respect of a search engine provider’s data processing. In this regard, it is necessary to state that the processing of personal data carried out in the context of the activity of the search engine provider must be distinguished from processing that is carried out by the publishers of the third-party websites such as media outlets that provide online newspaper content. If a data subject obtains the delisting of a particular content, this will result in the deletion of that specific content from the list of search results concerning the data subject when the search is, as a main rule, based on his or her name. This content will however still be available using other search criteria.”[6]

While the right to erasure is a well-established data protection right, the “right to request delisting” has proved to be more controversial due to freedom of expression and general human rights concerns amongst many civil society groups. For example, Access Now, in their official position regarding this topic, has stated that, although it “supports the right to erasure, we cannot support establishing a right to de-list or a right to obscurity. If it is misinterpreted or implemented the wrong way — particularly in the absence of a comprehensive data protection law and with inadequate transparency — it poses a significant threat to human rights. It must under no circumstances be misinterpreted or misapplied to enable the removal of online content, including from news media or social media.”[7]

Another notable case in which the CJEU considered the right of erasure was in Manni,[8] in which the Court established that this right did not necessarily require the erasure of personal data from a public companies register. Although the CJEU conceded that in exceptional cases this erasure could take place, it did not go as far as to mandate a specific timeframe for the retention of this data.[9]

Some scholars have referred to the right of erasure as the most ambiguous right within the GDPR, noting that “whether any item of data can ever be fully or properly erased is very much open to question.”[10] However, it must be said that constitutes a very important safeguard for the enforcement of the data protection principles,especially the principle of "data minimisation" as foreseen under Article 5(1)(c) GDPR.

(1) Legal Grounds

The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies, which in turn gives rise to a correlated obligation on the controller. As Voigt and von dem Bussche note, “the right of the data subject shall only help to enforce the controller’s obligation to erase personal data that would exist anyway under any of the grounds of Art. 17 Sec. 1 GDPR.[11] Often times, it also requires a balancing exercise among the different interests at stake.

(a) Data No Longer Necessary for the Initial Purposes

The data subject may invoke the right to erasure when the personal data is no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This legal ground reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR. In this case, if a data controller continues to process the personal data, this processing would beat odds with these provisions, unless the data controller had previously informed the data subject about the change of purpose according to Article 13(3) GDPR and Article 14(4) GDPR, or if it “is necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose.”[12] In this sense, Art 6(4) GDPR establishes that, unless the further processing is based on consent or laid out by law, in order for the controller to determine whether processing for another purpose is compatible with the purpose for which the personal data was initially collected, certain elements have to be taken into consideration (inter alia, the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards).

(b) Withdrawal of Consent and No Other Legal Basis

This ground can apply in cases where the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR,or in Article 9(2)(a) GDPR when special categories of personal data are processed. According to Article 7(3) GDPR, the data subject may withdraw their consent at any time, and it must be as easy to withdraw that consent as it was to give it. Further processing of personal data after withdrawal of consent renders that processing operation unlawful and the data controller must erase the personal data upon request. However, if there is another legal basis for lawful processing of the personal data, or a part of it the controller may continue the processing operations and will not be obliged to erase this data.

(c) Objection to Processing and No Overriding Legitimate Grounds

According to this provision, a data subject may request an erasure when they have objected to processing in accordance with Article 21(1) GDPR, which establishes the right to objection based on the data subject’s particular situation, when processing is based on the legal bases in Article 6(1)(e) and (f) GDPR (processing is necessary for the performance of a task in the public interest or legitimate interest of the controller), including profiling based on these provisions. In this case, the controller must grant the data subject’s right to erasure when there are no compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

In all cases, the data controller bears the burden of demonstrating whether the overriding legitimate grounds exist. However, the data subject must demonstrate the circumstances that have led to the modified interests at stake. Furthermore, as Voigt and von dem Bussche note, the controller would have “the right to revaluate the situation as its own interests for processing might still prevail and an erasure might not have to take place. This evaluation might require some time, and thus the data subject could exercise its right to restriction of processing in the meantime.[13] When processing is implemented for direct marketing purposes, then, in accordance with Article 21(2) GDPR, further processing will not be lawful (if there is no other legal basis for processing) and a simple objection by the data subject will be enough to exercise the right to erasure.

Direct marketing should be interpreted in a broad sense, and as Carey points out, this right “will extend both to records of marketing communications sent to data subjects and also to any underlying personal data that are held for direct marketing purposes, including personal data used for profiling purposes (i.e. to identify a subject as a marketing target). As direct marketing is considered to include any targeted communications that promote the 'aims and ideals' of an organization, data held for the purposes of political canvassing and for charitable fundraising purposes may therefore be caught by the right of erasure.”[14]

(d) Unlawful Processing

Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR, or when it violates the obligations of data controllers under the GDPR as provided for mainly in Chapter 2 and 4. As Voigt and von dem Bussche observe, “this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.[15]

(e) Compliance with a Legal Obligation

This provision establishes a legal basis analogous to the legal basis for processing under Article 6(1)(c) GDPR. It contains opening clause by which legal obligations are left to the discretion of Member States Hence, additional cases which would justify the erasure of data can be introduced at a national level.

(f) Information Society Services to Children

This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR). According to Article 4(25) GDPR “‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.” Recital 65 GDPR establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child. According to Voigt and von dem Bussche, “it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether.[16]

(2) Obligation to Inform Other Controllers

This paragraph establishes an additional obligation for controllers who have made personal data public, to take reasonable steps to inform other controllers (including employees of the controller), processors, and third parties, which are processing this data, that its erasure has been requested by a data subject. . Article 17(2) GDPR is read together with Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in Google Spain.[17]

Rucker and Kugler note that to be able to comply with the requirements set out in Article 19 GDPR, “controllers should document and keep track of the organisations they transfer personal data to and the categories of personal data transferred.[18] In this regard, Voigt and von dem Bussche suggest the implementation of technical and organisational measures to be able to record the recipients of personal data, including records of processing activities, as well as Data Protection Management Systems where feasible.[19]

This obligation in general has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps", although there is also the view that the constitute an adequate leverage for the data controllers to ensure that they are not obliged to make disproportionate efforts. In fact, in Kranenborg’s opinion, “this obligation has actually been softened in comparison with the Commission’s initial proposal, according to which the controller was ‘considered responsible’ for a publication made by a third party if they had ‘authorised’ it, and had to take ‘all’ reasonable steps to inform those third parties of the erasure request.”[20] It is not entirely clear whether the reasonableness of these measures depends on the controller’s subjective situation, or whether objective criteria should be used. According to Voigt and von dem Bussche, “the former should be the case, as otherwise the obligation would be too much of a burden for micro, small and medium-sized enterprises whose interests have received special consideration under the GDPR.”[21]

Furthermore, as Kelleher and Murray highlight, “it seems that this amounts only to an obligation to inform other controllers that such links should be erased, the GDPR does not provide that controllers have to require such erasure and does not provide a specific mechanism by which controllers could require such erasure.”[22] Additionally, it is also important to keep in mind that third parties might be in a different position when processing the data which they have obtained through the controller. In this sense Carey notes, that “it is also entirely possible that a third party controller that has obtained personal data as a result of their having been made public by another controller will process those data on the basis of processing grounds that do not allow for erasure requests, or will be able to rely on exemptions to the right of erasure that are not available to the controller that made the data public.”[23]

Additionally, it is important to mention that according to the EDPB, this obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference. In addition, "it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives.”[24] Moreover, according to the Board, it is planning to issue specific Guidelines on Article 7(2) GDPR in the future.

(3) Exceptions

The exceptions here are not absolute, and a necessity test will be required. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, the data controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable.

(a) Freedom of Expression and Information

This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life. Results may vary from case to case, but when the data is about a public figure or about the professional life of a data subject, the argument for refusing erasure in favour of freedom of expression and information usually prevails. Article 85(1) GDPR is relevant here, according to which "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."

It is important to take into consideration that according to Recital 153 GDPR, “in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.” According to Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”, as well as any individual.[25] Voigt and von dem Bussche also note that “under this exception, an erasure of opinions should be excluded. However, the distinction between personal data and opinion can be difficult where an opinion is based on personal data. In such a case, it needs to be balanced out whether the underlying personal data is still necessary for forming an opinion. The older the personal data is, the more improbable is their necessity for forming an opinion.”[26]

(b) Compliance with a Legal Obligation, Public Interest, Official authority

These situations refer to the grounds of processing contained in Article 6(1)(c) and (e). A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data.

(c) Public Health

This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data.

Specifically, Article 9(2)(h) GDPR which refers to a broad exception based on processing necessity for the provision of health and social care. According to Georgieva and Kuner, the latter should be interpreted broadly to include assistance granted by social security authorities.[27] Besides health and social care services, it also includes other related purposes, such as the assessment of employee working capacities or the management of health or social care systems. For this exception to apply, the sensitive data must be processed by a professional subject to the obligation of professional secrecy, as established by an explicit complementary provision in Article 9(3) GDPR, also referenced in this section.

The other provision mentioned is Article 9(2)(i) GDPR, which is an exception for processing based on public interest considerations in the area of public health. It gives some examples, such as protection against serious cross-border threats, or ensuring adequate standards for health products and devices.

According to Recital 54 GDPR, the interpretation of “public health” corresponds to Regulation (EC) No 1338/2008,[Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community statistics on public health and health and safety at work (available here).] which includes “namely all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”

(d) Archiving, Scientific, Historical Research, Statistical Purposes

This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them.

(e) Legal Claims

This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.

Decisions

→ You can find all related decisions in Category:Article 17 GDPR

References

  1. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
  2. Kranenborg in Kuner Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 17 GDPR, p. 477 (Oxford University Press 2020).
  3. CJEU, Case C-131/12, Google Spain, 13 May 2014 (available here).
  4. CJEU, Case C-131/12, Google Spain, 13 May 2014, margin numbers 93-94 (available here).
  5. EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0) (available here).
  6. EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 5 (available here).
  7. Access Now, ‘Position Paper: Understanding The “Right To Be Forgotten” Globally, September 2016 (accessed 22 February 2022) (available here).
  8. CJEU, Case C-398/15, Manni, 9 March 2017 (available here).
  9. CJEU, Case C-398/15, Manni, 9 March 2017, margin numbers 60, 63 (available here).
  10. Kelleher, Murray, EU Data Protection Law, p. 208 (Bloomsbury Professional 2018).
  11. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
  12. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.
  13. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017).
  14. Carey, Data Protection: A Practical Guide to UK and EU Law, p. 144 (Oxford University Press, 2018, 5th Edition).
  15. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
  16. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
  17. CJEU, Case C-131/12, Google Spain, 13 May 2014 (available here).
  18. Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 142 (C.H. Beck 2018).
  19. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
  20. Kranenborg, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 483 (Oxford University Press 2020).
  21. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
  22. Kelleher, Murray, EU Data Protection Law, p. 214 (Bloomsbury Professional 2018).
  23. Carey, Data Protection: A Practical Guide to UK and EU Law, p. 146 (Oxford University Press 2018. 5th Edition).
  24. EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 6 (available here).
  25. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
  26. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).
  27. Georgieva, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 380 (Oxford University Press 2020).