Article 17 GDPR

From GDPRhub
Revision as of 15:47, 18 March 2024 by Sfl (talk | contribs) (→‎(d) Unlawful processing)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Article 17 - Right to erasure (‘right to be forgotten’)
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 17 - Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

Relevant Recitals

Recital 39: Principles of Data Processing
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed. Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted. Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.

Recital 65: Right to Erasure and Rectification
A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

Recital 66: Informing Controllers of Erasure
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

Commentary

Article 17 confers upon the data subject the right to have their personal data erased, however this is not an absolute right. In fact, Article 17 GDPR mainly covers cases, where the controller would have had to stop the processing out of his own motion, as the legal ground for the processing of personal data has chased. The right to erasure often just generates a

Example: A data subject withdraws her consent to the use of her data for advertisement. The controller must automatically stop processing her personal data. There is no need to exercise the right to erasure in addition. However, if the data subject suspects that her personal data may not be fully deleted, she may exercise the right to erasure.

Paragraph 1 establishes a standard "right to deletion" of personal data and imposes an obligation on the controller to remove the data when certain conditions are met. To enhance the effectiveness of the right to deletion, especially on the internet (Recital 66), paragraph 2 introduces the so-called "right to be forgotten" which imposes a further obligation on the controller to inform other recipients of the request to delete all links, copies or duplicates of the data, through appropriate technical and cost-effective measures. Paragraph 3 sets out the exceptions to the rules outlined in paragraphs 1 and 2,[1] which are largely repeating existing grounds for the legal processing of personal data in various parts of the GDPR.

Common Mistake: Overall the article is not well-drafted and partly oversold by politics and the media. The title suggest more rights of the data subject than the text of the article provides for. The 'right to be forgotten' or 'erasure' is often understood by data subjects to be an absolute right to have personal data deleted - however if the controller has a legal basis for the processing of personal data, the exercise of Article 17 GDPR has usually no effect.

(1) Right to erasure

The right to erasure does not constitute an absolute right granted to data subjects. It can be exercised only if one of the following legal grounds applies, which in turn gives rise to a correlated obligation on the controller.[2] See below on the question which options exists to ensure that other unlawful processing is stopped.

The data subject has the right to obtain...

Article 17 of the GDPR does not contain specific provisions regarding the methods for exercising the right to erasure. These provisions can be found in Article 12, which includes the general obligation to provide information which is precise and clear (Article 12(1) GDPR), facilitate the data subject (Article 12(2) GDPR), respond and communicate the measures taken (Article 12(3) and (4) GDPR), the principle of freedom from costs (Article 12(5) GDPR) and the identity verification procedure in case of uncertainty (Articles 11 and 12(6) GDPR).

Erasure of personal data

The act of erasing data constitutes a type of processing as defined by Article 4(2) GDPR. The regulation does not provide a definition of "erasure". It is clear, however, that the process must be effective. The crucial element is the outcome of the erasure process, which renders the information previously stored in the data factually irretrievable. Once the data is erased, it should not be feasible for anyone to perceive the information contained therein without resorting to disproportionate measures.[3]

Some possible methods for erasing data include physically eliminating the data by overwriting or erasing it, using mechanical or chemical methods such as shredding the paper, burning or otherwise destroying the data carrier, scratching the surface of CDs, and destroying codes or decryption devices without removing the data itself. In general, deleting a link or reference in a file system (logical deletion) typically does not result in the actual erasure of the data, but only makes it more challenging to locate. The requirements for deletion under data protection laws are evolving due to technological advancements. It is crucial to acknowledge the possibility of recovering deleted data through specialized software. The use of such software is generally expected and feasible.[4]

Deletion must be comprehensive and therefore applies to all data and data carriers, including data stored on backup media, as well as those belonging to contractors (e.g., stored in a "cloud") or employees' private data processing devices. In certain situations, preservation of backup copies may be justified due to the controller's legitimate interest or other applicable legal bases. The deletion obligation does not include any copies of the data made by third parties to whom the data has been disclosed. In this respect, there is an obligation to notify the erasure under Article 19 GDPR and the recipient may be subject to independent deletion obligations.[5]

Relation with the 'right to be forgotten'

The GDPR does not clearly state the relationship between the 'right to erasure' and the 'right to be forgotten'. They are not interchangeable terms, but rather two distinct expressions of the rights of the data subject under Article 17 of the GDPR. Recital 66 clarifies that the 'right to be forgotten' is related to the obligation under Article 17(2) to inform third parties about the erasure of personal data that has been made public. This obligation arises when the right to erasure is exercised.[6] For further information, see commentary under Article 17(2) GDPR below.

Concerning him or her

The right to erasure under paragraph 1 applies to personal data which concerns the data subject. This primarily includes the data subject's own personal data, including profiling data,[7] and not those of third parties. However, personal data that concerns both the data subject and third parties can also be the subject to erasure. Limiting the right to erasure only to personal data that exclusively relates to the data subject would disproportionately restrict such right. However, before the deletion takes place, fundamental rights and interests of third parties to continue certain data processing in not deleting the information should be taken into account.[8]

Example: XXX

And the controller shall have the obligation to erase...

The erasure of personal data is not solely based on a request from the data subject. In accordance with Article 5 of the GDPR, and in particular the principles of lawfulness, data minimization, and storage limitation, the controller must carry out the deletion independently if one of the elements included in the list (a-f) is met. For example, in the event that the data subject revokes their consent, it would be appropriate to proceed with the deletion of all personal data associated with the unauthorized processing. The same applies to processing that has achieved its purpose and therefore no longer has a viable purpose. In this case, it would also be necessary to delete all associated data. However, a blind execution of this obligation leads to unacceptable results. Taking inspiration from the examples mentioned earlier, in the case of consent withdrawal, it is necessary to assess the scope of the data subject's action. If the revocation does not concern the entire processing but only a specific part, an indiscriminate erasure would not only be unadvisable but also inadmissible. The same applies when the purpose of the processing is pursued. In this circumstance, the data subject may request a restriction of processing (Article 18 GDPR) instead of deletion (Article 17(1)(a) GDPR), and a controller-initiated deletion may be deemed abusive. Based on the aforementioned considerations, meticulous scholars elaborate an obligation of the controller, based on the facilitation obligation under Article 12(2) GDPR, to evaluate the situation on a case-by-case basis and, where necessary, contact the data subject for any clarifications regarding their intentions.[9]

Where one of the following grounds applies

(a) Data no longer necessary for the initial purposes

The personal data must be erased if they are no longer necessary for the purpose(s) they were initially collected for or otherwise processed. This scenario reflects the general GDPR principles of "purpose limitation" and “storage limitation” as provided for in Articles 5(1)(b) and (e) GDPR.

Determining when a purpose no longer exists is not a straightforward matter, as it varies from case to case. Fixed deadlines cannot be set to address this issue. The European Court of Justice has established that an examinee can request that their examination answers and the examiner's comments are deleted once they are no longer necessary for identification, such as when the examination process is completed and the answers and comments have lost their probative value. Similarly, applicants' data can be deleted once the selection process has ended and there is no longer any legal protection against the appointment.[10]

Example: Once the electronic health card has been issued, a health insurance company no longer requires the photograph to be stored, as an example. Similarly, if there are no further labour law disputes with an employee, an employer no longer needs to store a warning letter after the termination of the employment relationship, as noted in another example. Additionally, a provider of basic security for job seekers is not required to retain a copy of the identity card after the end of the benefit period.[11]

The above is true unless the processing of personal data is “necessary for realising another purpose of processing that partially overlaps with or is compatible with the eliminated purpose” under Article 6(4) GDPR.[12] Art 6(4) GDPR establishes that, in order for the controller to determine whether processing for another purpose is possible (i.e. compatible with the purpose for which the personal data was initially collected), certain elements have to be taken into consideration (inter alia, the link between the former and further purpose, the context or relationship between the data subject and the controller, the nature of the personal data, the possible consequences of further processing, and the existence of appropriate safeguards). In such case, that is to say, when "further processing" is possible, erasure of personal data can be avoided.

Example: XXX

(b) Withdrawal of consent and no other legal basis is available

When the legal basis for processing is consent as provided for in Article 6(1)(a) GDPR or, as the case may be, Article 9(2)(a) GDPR, and consent is withdrawn according to Article 7(3) GDPR, data must be erased under Article 17(1)(b) GDPR, unless there is another applicable legal ground that preserves the lawfulness of the processing.[13]

Example: XXX

(c) Objection to processing

According to this provision, data must be erased in two different cases. First, (i) an objection to processing in accordance with Article 21(1) GDPR has been raised[14] and there are "no overriding legitimate grounds for the processing". Second, (ii) the data subject have objected to direct marketing under Article 21(2) GDPR.

(i) Erasure following objection under Article 21(1)

The first hypothesis concerns an objection to processing in accordance with Article 21(1) GDPR, provided that "no overriding legitimate grounds for the processing" can identified. The attention of the interpreters has focused on the discrepancy between the terminology used in Article 17(1)(c) ("no overriding legitimate grounds") and that of Article 21(1) ("compelling legitimate grounds").

According to a first view, the two wordings refer to two distinct and non-overlapping concepts. In this perspective, the absence of "compelling legitimate grounds" (Article 21(1) GDPR) results in the obligation to interrupt a certain processing activity ("shall no longer process personal data", Article 21(1) GDPR), but not necessarily to erase personal data. An actual erasure obligation would only arise if, following the first check under Article 21(1), it were shown that there are no "compelling legitimate grounds" for deletion (Article 17).[15]

According to a second view, the wording discrepancy between Article 17(1)(c) and Article 21(1) is irrelevant. From a logical perspective, the difference in wording is too weak to suggest the necessity of a second balancing test, once the first already gave a negative result. Moreover, when balancing conflicting interests, the controller must take into account only "overriding legitimate interests" within the meaning of Article 21(1) GDPR. Therefore, for a claim for deletion to be admissible, all and only the conditions listed in Article 21(1) must be met.[16] In particular, such a provision makes reference to "public interest" or "legitimate interest" pursuant to Article 6(1)(e) and (f) GDPR respectively.

(ii) Erasure following objection under Article 21(2)

Data must also be erased when an objection to direct marketing[17] has been submitted under Article 21(2) GDPR. However, if the same data is used for other purposes, that processing will still be possible provided that there is another applicable legal basis A confirmation to this can be found in Article 21(3) GDPR under which, in case of objection to direct marketing, "personal data shall no longer be processed for such purposes". This means that erasure will also be excluded when other lawful purposes are pursued by the controller.

Example: XXX

(d) Unlawful processing

Under Article 17(1)(d) GDPR, data must be erased in case they "have been unlawfully processed". Processing can be unlawful for a number of reasons. Most commonly, processing is unlawful when it lacks any legal basis as prescribed in Article 6 GDPR or Article 9 GDPR. However, unlawfulness under GDPR is not only limited to situations where the legal basis for processing is missing under Article 6 or 9, but also includes cases where the processing activity violates GDPR for "other reasons" (Recital 65). To begin, processing is unlawful if it does not conform to the principles set out in Article 5.

Case-law: In CJEU - C‑131/12 - Google Spain, the Court held that all processing of personal data must comply, first, with the principles relating to data quality set out in Article 6 of the directive and, secondly, with one of the criteria for making data processing legitimate listed in Article 7 of the directive [...] Under Article 6 of Directive 95/46 [...] the controller has the task of ensuring that personal data are processed ‘fairly and lawfully’, that they are ‘collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes’, that they are ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’, that they are ‘accurate and, where necessary, kept up to date’ and, finally, that they are ‘kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed’.[18]

Hence, data processing may also be unlawful where any GDPR provision implementing a principle is breached. For instance, if its technical design and implementation do not conform to the requirements of Article 25 or do not comply with the security standards set out in Article 32. Unlawfulness also arises in situations where processed data is inaccurate (Article 16 GDPR).[19] In other words, “this provision can be seen as a sweeping clause, as it grants a right to erasure where processing is unlawful, whether it is for a lacking legal permission for processing or for non-compliance with the Regulation, such as regarding the organisational obligations of the controller”.[20]

(e) Compliance with a legal obligation

Personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject. This provision contains an opening clause by which legal obligations are left to the discretion of Member States. Hence, additional cases which would justify the erasure of data can be introduced at a national level. The opening clause does not impose any special requirements on the respective Member State regulation. However, it is necessary that the respective Member State regulation does not undermine the requirements of the GDPR and, above all, does not violate any rights under the Charter or fundamental freedoms.[21]

(f) Information society services to children

Personal data must also be erased if they have been collected in relation to the offer of information society services referred to in Article 8(1). This provision is meant to ensure a more thorough protective scheme for children, who enjoy increased protection under the GDPR. Recital 65 GDPR, in particular, establishes a reason for this provision, stating that where the data subject has given their consent as a child, and are not fully aware of the risks involved in the processing operations, they may want to remove such personal data, especially on the internet.[22]

With that being said, the scope of this provision must be clarified. A strict literal interpretation would lead to the conclusion that every personal data of minors collected by an information society service[23] must always and in any case be deleted. Such conclusion would make little sense because, and under certain conditions, Article 8(1) GDPR allows for the processing of such personal data.[24] Therefore, an alternative interpretation that is in line with the structure of Article 17 and, more generally, of the GDPR should be provided. In this perspective, the scope of this provision consists of the revocation of a previously given (valid)[25] consent under Article 8(1) of the GDPR. If such consent is revoked, the data must be removed. Compared to the "classic" consent revocation case under Article 17(1)(a) GDPR is that in these cases the deletion of the data occurs even if there are, in theory, other legal bases for further processing.[26] Moreover, following the indications of Recital 65, the request remains valid especially when the data subject is no longer a minor.

In other words, it is a reinforced right to erasure that, on the one hand, excludes hypotheses of further processing due to additional legal bases other than consent and, on the other hand, allows the data subject to remove personal data disseminated on the internet and generally made available by data subjects during their childhood, potentially without realizing the importance and consequences of their actions.[27]

(2) Obligation to inform other controllers, or the "Right to be forgotten"

The obligations imposed on the controller by Article 17(2) are designed to provide greater recognition to the "right to be forgotten" on the Internet (Recital 66). This right addresses the issue that arises when data published on the Internet is often stored and republished by other controllers. This can occur automatically, as in the case of the "Internet Archive" organization, which records the content of websites and makes them available to the public. Additionally, search engines like Google, Bing, and Yahoo often display links to data published on the Internet. Even if data is deleted from one website, it may still be accessible and linked on other websites, resulting in the commonly used phrase "the Internet never forgets". In such cases, the erasure by "one" controller under Article 17(1) GDPR is clearly ineffective. Thus, the "right to be forgotten" seeks measures that go beyond deleting the data at a single controller, in order to stop or reduce uncontrolled dissemination of data which in theory should be erased.[28] This why, according to Article 17(2) GDPR, the controller must inform the other controllers with whom personal data have been shared. Two requirements must be met: 1. the controller has made the personal data public and 2. it is obligated to delete it in accordance with paragraph 1. To do so, the controller must take suitable measures, including technical ones, based on available technology and implementation costs, to inform other controllers who have received the personal data to delete all links, copies or replications of it.

Where the controller has made personal data public

Compared to disclosing personal data to specific but possibly numerous recipients, the act of making personal data public is characterized by the indeterminacy of the number of recipients. Therefore, a strict sense of publication should be excluded if the controller adopts tools that restrict the number of recipients, such as using passwords or other access protection tools. The text of the regulation also clarifies that the act of publication must be intentional. Therefore, hacker attacks or accidental publications related to possible data breaches are not covered by this provision.[29]

Example: publication of personal data on a website...

And erasure under under paragraph 1 applies

The provision of paragraph 2 applies only in cases where paragraph 1 is also applicable. See the Commentary above.

The controller .. shall take reasonable steps

The controller is obligated to take "reasonable measures" to inform other controllers the data processors who are processing the relevant data about the data subject's request for deletion. This means that the controller must inform an indefinite number of recipients, who are or may be unknown. This obligation in general has been criticised as conferring an excessive burden on controllers, which is moderated only by the non-defined notion of "reasonable steps".[30]

The appropriateness of the measures to be taken is determined taking into account available technology and implementation costs. In many cases, it may be impossible or impractical for the controller to make direct contact with all recipients, which may go beyond a "reasonable measure" because of the effort involved.[31] In these cases, the controller may consider alternative methods, such as providing information on their website or publishing the request for deletion at the point where the data was first published. These methods may be less effective, but they are still acceptable under the regulation.

Common misunderstanding: It is worth emphasizing that while it may be "reasonable" to not require the controller to make "unreasonable" efforts to contact "all" controllers, it is also reasonable to expect that such efforts should still be made in simpler situations. For example, if a well-known online newspaper publishes false news about a data subject's arrest and the news spreads to numerous national and international outlets, the data subject may request that the first newspaper delete the news. After removing the page from its website and publishing a correction, the first newspaper can at least directly inform the major news outlets where the news appeared. In fact, it is very simple to verify, at least within the narrow circle of "national" newspapers, who has published the news. For all other controllers who are not easily reachable, the simple publication of the correction is sufficient.

The provision also allows for the possibility that the measures taken to inform data processors of the data subject's request for deletion may be "also of a technical nature". This may include the use of technical measures such as meta tags on the website where the deleted information was previously located, in order to prompt search engine web crawlers to delete the relevant data from their index files and caches. Similar techniques to Digital Rights Management (DRM) used in electronic media could also be considered, although their effectiveness and feasibility in enforcing the "right to be forgotten" are sometimes debated.[32]

To inform controllers

The controller who has received the erasure request must inform the other controllers "which are processing the personal data"[33] that the data subject "has requested the erasure by such controllers of any links to, or copy or replication of, those personal data". In this context, the term "link" refers to any reference to a storage location where the data subject's information is stored, including links that lead to a different storage location than the original publication. The use of the terms "copy" and "replication" indicates that not only exact copies, but also images from which data or even parts of the data can be extracted, must be deleted (for example, screenshots).[34] The GDPR does not provide that controllers have to require such erasure and does not provide a specific mechanism by which controllers could require such erasure.[35]

Article 17(2) does not create an independent obligation on these other data controllers to delete the data. Rather, these other data controllers are only required to delete the data if one of the reasons for erasure set out in Article 17(1) applies to them.[36] It is important to keep in mind that third parties might be in a different position when processing the data which they have obtained through the controller. In this sense Carey notes, that “it is also entirely possible that a third party controller that has obtained personal data as a result of their having been made public by another controller will process those data on the basis of processing grounds that do not allow for erasure requests, or will be able to rely on exemptions to the right of erasure that are not available to the controller that made the data public.”[37]

Finally, according to the EDPB, this obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference. In addition, "it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives.” Moreover, according to the Board, it is planning to issue specific Guidelines on Article 7(2) GDPR in the future.[38]

(3) Exceptions

If processing is required for the purposes listed in Article 17(3)(a-e), the right to erasure and to be forgotten under paragraphs 1 and 2 does not apply. The list of exceptions provided in paragraph 3 is comprehensive and final. The requirement of "necessity" implies that the processing should be restricted to what is essential for the given purposes. The refusal of the erasure is only allowed "to the extent that processing is necessary" for the reasons below. This means that a data subject may exercise the right to erasure when the processing is no longer necessary, or when it is carried out at a level beyond what is necessary. In any case, controllers bear the burden of demonstrating and proving that any exception that they may rely on is applicable.

(a) Freedom of expression and information

Letter a of Article 17(3) provides an exception to the right to erasure and to be forgotten if the processing is necessary for exercising the right to freedom of expression and information.

This exception reflects one of the most common balancing tests that not only courts but also many data protection authorities have been called upon to implement. When attempting to strike a balance between data protection and freedom of expression, the following two factors need to be taken into consideration: first, the nature of information in question and its sensitivity for the data subject’s private life, and second, the public’s interest in accessing the information, which may vary depending on the data subject’s role in public life.[39]

Results may vary from case to case, but when the data is about a public figure or about the professional life of a well-know individual, the argument for refusing erasure in favour of freedom of expression and information is particularly strong, unless the information that the data subject wants to erase is completely unrelated to their role in society. Article 85(1) GDPR is relevant here: "Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression."

It is important to take into consideration that, according to Recital 153 GDPR, “in order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.” According to Voigt and von dem Bussche, “this exception might become highly relevant in practice as this right cannot only be invoked by the press but also by any entity”, as well as any individual.[40]

Scholars point out that, under this exception, the deletion of opinions should not be allowed. However, distinguishing between personal data and opinion can be challenging when an opinion is based on personal data. In such cases, it is necessary to weigh whether the personal data underlying the opinion is still necessary. The older the personal data, the less likely it is to be necessary for forming an opinion.[41]

(b) Compliance with a legal obligation, public interest, official authority

Article 17(3)(b) GDPR, first part, provides an exception to the right to erasure and to be forgotten if processing is necessary for fulfilling a legal obligation under Union or Member State law that applies to the data controller. These situations refer to the grounds of processing contained in Article 6(1)(c) GDPR. The legal obligation must result from objective, sufficiently clear and foreseeable law in the public interest (not necessarily in the area of ​​data protection). In these cases, the controller shall provide the data subject with the legal grounds for retaining their data.[42]

Example: A common instance of such compliance with a legal obligation is compliance with national commercial or tax laws which may require the retention and processing of personal data.

Article 17(3) GDPR, second part, rules out the erasure when processing of personal data is necessary to carry out a task in the public interest or in the exercise of official authority, as provided for under Article 6(1)(e) of the GDPR. This exception covers processing activities such as international data transfers between competition, tax, or customs authorities, financial supervisory authorities, or services responsible for social security or public health matters.[43]

(c) Public health

This section establishes an exception based on public health reasons, making specific references to provisions in Article 9 GDPR related to the processing of special categories of personal data.

Specifically, Article 9(2)(h) GDPR refers to a broad exception based on processing necessity for the provision of health and social care.[44] According to Georgieva and Kuner, the latter should be interpreted broadly to include assistance granted by social security authorities.[45] Besides health and social care services, it also includes other related purposes, such as the assessment of employee working capacities or the management of health or social care systems. For this exception to apply, the special categories of data must be processed by a professional subject under obligation of professional secrecy, as established by an explicit complementary provision in Article 9(3) GDPR, also referenced in this section.

The other provision mentioned is Article 9(2)(i) GDPR, which is an exception for processing based on public interest considerations in the area of public health. It gives some examples, such as protection against serious cross-border threats to health, or ensuring adequate standards for health products and devices.

(d) Archiving, scientific, historical research, statistical purposes

This section (which mirrors Article 9(2)(j) GDPR) contains a processing exception for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, which in turn establishes that these processing purposes must be subject to appropriate safeguards for the rights and freedoms of data subjects. Among those safeguards, this article places an emphasis on data minimisation, and mentions pseudonymisation as a possible measure. This exception will apply when the right to erasure will have a considerable effect on these purposes, either rendering them impossible, or seriously impairing them.

Example: XXX

(e) Legal claims

This provision (which also partly mirrors Article 9(2)(f) GDPR) establishes an exception which prevents data subjects from demanding an erasure of their personal data that might be relevant for the establishment, exercise or defense of legal claims, which should be interpreted broadly to include both public and private law claims. It should also be noted that these legal claims bust be either already filed and underway, or at the very least imminent or impending, and not just a hypothetical possibility.[46]

Right to stop otherwise unlawful processing

It is important to note that while Article 17 GDPR is limited to certain situations any data subject can bring a complaint under Article 77 GDPR if "the data subject considers that the processing of personal data relating to him or her infringes this Regulation" and Article 79 GDPR grantees a right to a judicial remedy against a controller or processor "where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation". The available legal remedy is therefore capturing many other situations where processing violates the GDPR.

This means that while the right to erasure is limited to certain situations under Article 17 GDPR, data subjects are not confined to the ground in Article 17 GDPR when demanding an end of unlawful processing activities. In practice any a request under Article 17 GDPR as well as any (informal) request to stop unlawful processing on ground not mentioned in Article 17 GDPR would have to be enforced via Article 77 or 78 GDPR in any case. This limits the practical meaning of the limitations in Article 17 GDPR.

Decisions

→ You can find all related decisions in Category:Article 17 GDPR

References

  1. In the below commentary we will use the definition put forward by some authors according to which the "right to erasure" is made of two different elements, the classic "right of deletion" under paragraph 1 and the "right to be forgotten" (in the strict sense) under paragraph 2. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 1-3 (C.H. Beck 2018, 2nd Edition).
  2. As Voigt and von dem Bussche note, “the right of the data subject shall only help to enforce the controller’s obligation to erase personal data that would exist anyway under any of the grounds of Art. 17 Sec. 1 GDPR.” See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
  3. In other words, in order to be effective, deletion does not have to be irreversible. It is adequate that the processing and use of the data in question is no longer feasible in its previous form. The fact that at some point a reconstruction of the data (such as restoring a shredded paper) using technical aids (such as cache and metadata or other programs) becomes possible, does not invalidate the effectiveness of the deletion. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
  4. Dix, in Simitis, Hornung, Spiecker, Datenschutzrecht, Article 17 GDPR, margin numbers 5 (NOMOS 2019).
  5. See below commentary on paragraph 2, and Article 19 GDPR.
  6. Nolte, Werkmeister in Gola, DS-GVO, Article 17 GDPR, margin number 1 (C.H. Beck2018, 2nd ed.).
  7. The right of erasure in the context of profiling (Article 4(4) GDPR) affects both the input data (i.e., the personal data on which a profile is based) and the output data (i.e., the profile itself). See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17GDPR, margin number 35 (C.H. Beck 2018, 2nd Edition).
  8. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin numbers 31-32 (C.H. Beck 2018, 2nd Edition).
  9. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin numbers 8-16 (C.H. Beck 2020, 3rd Edition).
  10. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 21 (C.H. Beck 2018, 2nd Edition).
  11. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 17 (C.H. Beck 2020, 3rd Edition).
  12. See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 157 (Springer 2017), citing Laue et al., Datenschutzrecht, Rechte der betroffenen Person (2016), margin number 41.
  13. The provision's explicit acknowledgement of the potential for alternative legal grounds suggests that the initial processing may have relied on multiple legal bases concurrently, such as consent and another legal basis under Articles 6 or 9 GDPR. See, Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 23 (C.H. Beck 2018, 2nd Edition).
  14. Article 21(1) establishes the right to objection based on the data subject’s particular situation, when processing is based on the legal bases in Article 6(1)(e) and (f) GDPR (processing is necessary for the performance of a task in the public interest or legitimate interest of the controller), including profiling based on these provisions.
  15. According to these Authors, it is, therefore, possible to envisage cases where, after an objection pursuant to Article 21(1), although further data processing is excluded, the controller is not obliged to delete the data. Such a situation may arise, for instance, when data relating to the data subject is collected during the use of an app and processed in pseudonymised form for the further development of the app. In this case, in the event of an objection by the data subject, the controller would not be able to demonstrate any compelling legitimate grounds that would allow further processing, because the app can continue to be operated without the data of the data subject. On the other hand, it is likely that the controller has an overriding legitimate interest (the technical development of the app), which, depending on the design of the processing operations, could exclude the data subject's claim for deletion. See, Nolte, Werkmeister in Gola, DS-GVO, Article 81 GDPR, margin number 18-19 (C.H. Beck2018, 2nd edition).
  16. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 26 (C.H. Beck 2018, 2nd Edition).
  17. Direct marketing should be interpreted in a broad sense, and as Carey points out, this right applies not only to records of marketing communications sent to individuals but also to any personal data held for direct marketing, including data used for profiling. This includes data held for political canvassing and charitable fundraising purposes, as direct marketing encompasses any targeted communication that promotes an organization's goals and values. See, Carey, Data Protection: A Practical Guide to UK and EU Law, p. 144 (Oxford University Press, 2018, 5th Edition).
  18. CJEU, Case C-131/12, Google Spain, 13 May 2014, margin numbers 71-72, 75, 92 (available here).
  19. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 27 (C.H. Beck 2018, 2nd edition). Same view in Haidinger in Knyrim, DatKomm Article 17 GDPR, margin numbers 55-56 (as of 1.12.2021, rdb.at).
  20. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
  21. Nolte, Werkmeister in Gola, DS-GVO, Article 17 GDPR, margin number 27 (C.H. Beck2018, 2nd edition).
  22. The aforementioned Recital 65 also offers the possibility of exercising this right even when the data subject is no longer a child.
  23. According to Article 4(25) GDPR “‘information society service’ means a service as defined in point (b) of Article 1(1) of Directive (EU) 2015/1535 of the European Parliament and of the Council.”
  24. According to Article 8(1) GDPR, a child is anyone below the age of 16, though Member States have the discretion to establish a lower age for those purposes (the age of 13 is the minimum permitted age according to the GDPR).
  25. If the consent is invalid under Article 8(1) GDPR, then the processing is unlawful and therefore the general clause under Article 17(1)(d) GDPR applies.
  26. Contrary to Article 17(1)(a), Article 17(1)(f) does not include the wording "where there is no other legal ground for the processing".
  27. Shares this interpretation Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin numbers 34-35 (C.H. Beck 2020, 3rd Edition). Alternative readings have also been put forward. For instance, “it is unclear whether this right to erasure equals a withdrawal of consent and, thus, this provision would not have a separate scope of application as it would be a sub-part of Art. 17 Sec. 1 lit. a GDPR. Given the legislator’s aim to increase the protection of children and the otherwise lacking additional benefit, the provision should allow a request for erasure of selective personal data (where possible) without a withdrawal of the consent for processing altogether." See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 158 (Springer 2017).
  28. In exceptionally clear terms, Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 49 (C.H. Beck 2020, 3rd Edition).
  29. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 44 (C.H. Beck 2018, 2nd Edition).
  30. This “obligation has actually been softened in comparison with the Commission’s initial proposal, according to which the controller was ‘considered responsible’ for a publication made by a third party if they had ‘authorised’ it, and had to take ‘all’ reasonable steps to inform those third parties of the erasure request.” See, Kranenborg, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 483 (Oxford University Press 2020).
  31. It is not entirely clear whether the reasonableness of these measures depends on the controller’s subjective situation, or whether objective criteria should be used. According to Voigt and von dem Bussche, “the former should be the case, as otherwise the obligation would be too much of a burden for micro, small and medium-sized enterprises whose interests have received special consideration under the GDPR.” See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
  32. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 53 (C.H. Beck 2020, 3rd Edition).
  33. Article 17(2) GDPR must be distinguished from Article 19 GDPR, which foresees the communication of any erasure of personal data to each recipient to whom the personal data had been disclosed (unless this proves impossible or entails disproportionate effort), as well as informing the data subject about those recipients if requested. Recital 66 GDPR clearly states that this addition is meant to "strengthen the right to be forgotten in the online environment", although it is not limited to this kind of processing. This paragraph is a clear reflection of the ruling in Google Spain. Rucker and Kugler note that to be able to comply with the requirements set out in Article 19 GDPR, “controllers should document and keep track of the organisations they transfer personal data to and the categories of personal data transferred.” See, Schrey, in Rücker, Kugler, New European General Data Protection Regulation, A Practitioner's Guide: Ensuring Compliant Corporate Practice, p. 142 (C.H. Beck 2018). In this regard, Voigt and von dem Bussche suggest the implementation of technical and organisational measures to be able to record the recipients of personal data, including records of processing activities, as well as Data Protection Management Systems where feasible. See, Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 163 (Springer 2017).
  34. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin numbers 55-56 (C.H. Beck 2020, 3rd Edition).
  35. Kelleher, Murray, EU Data Protection Law, p. 214 (Bloomsbury Professional 2018).
  36. The title of Article 17 ("Right to be forgotten") may give the impression that all the other controllers are required to delete the data in question, but this is not always the case.
  37. Carey, Data Protection: A Practical Guide to UK and EU Law, p. 146 (Oxford University Press 2018. 5th Edition).
  38. EDPB, ‘Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1)’, 7 July 2020 (Version 2.0), p. 6 (available here).
  39. Herbst, in Kühling, Buchner, DS-GVO BDSG, Article 17 GDPR, margin number 56 (C.H. Beck 2020).
  40. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, p. 159 (Springer 2017).
  41. Voigt, von dem Bussche, The EU General Data Protection Regulation (GDPR): A Practical Guide, pp. 159-160 (Springer 2017).
  42. IDPC (Malta) - CDP/IMI/LSA/17/2020 (available here)
  43. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 60 (C.H. Beck 2018, 2nd Edition).
  44. According to Recital 54 GDPR, the wording “public health” corresponds to Regulation (EC) No 1338/2008, which includes “all elements related to health, namely health status, including morbidity and disability, the determinants having an effect on that health status, health care needs, resources allocated to health care, the provision of, and universal access to, health care as well as health care expenditure and financing, and the causes of mortality.”
  45. Georgieva, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 7 GDPR, p. 380 (Oxford University Press 2020).
  46. Kamann, Braun in Ehmann, Selmayr, Datenschutz-Grundverordnung, Article 17 GDPR, margin number 64 (C.H. Beck 2018, 2nd Edition).