HDPA (Greece) - 1/2023
|HDPA - 1/2023|
|Relevant Law:||Article 17 GDPR|
Article 21(1) GDPR
Article 21(2) GDPR
Article 51 GDPR
Article 55 GDPR
Article 56(2) GDPR
|National Case Number/Name:||1/2023|
|European Case Law Identifier:||n/a|
|Original Source:||HDPA (in EL)|
|Initial Contributor:||Anastasia Tsermenidou|
After Google failed to respond to a right to erasure request made by a Greek data subject, the Greek DPA held that it is competent to examine the complaint, as the processing concerns only a Greek data subject, and is conducted by Google LLC, based in the US.
English Summary[edit | edit source]
Facts[edit | edit source]
The complainant, a Greek data subject, submitted an erasure request to Google, the controller, seeking the removal of various search results on the website which include links to third party website containing information related to the data subject's status, and personal and professional reputation. After receiving no response to their request, the data subject lodged a complaint against Google Ireland Limited, for failure to satisfy their right to erasure.
Responding to the complaint, Google asserted that it had balanced the relevant rights and interests, including the relevance to the complainant's professional life, and decided not to cut the content. Furthermore, the content of the links are accurate, as the complainant has not proven they are inaccurate; up to date, as the professional activity in question is still carried out today. Therefore, the public has a legitimate interest in accessing the information.
Holding[edit | edit source]
After considering the submissions of both parties and reviewing the evidence, the section of the Greek DPA tasked with investigating the complaint issued its decision.
Firstly, the decision acknowledged that, in accordance with Article 51 and 55 GDPR, this authority is competent to supervise the application of the GDPR to this case. This is because, while Google Ireland Limited is the company's main establishment in the EU for user data collected and processed when users interact with Google services, the processing of erasure requests is conducted by Google LLC, based in the US. This has been confirmed, by Google LLC, in communications with the EDPB. Therefore, while in cases concerning other personal data processing the Irish DPA (DPC) is the competent supervisory authority, that is not the case in this context.
Article 56(2) of the GPDR states that "by way of derogation from paragraph 1, each supervisory authority shall be competent to examine a complaint lodged or to deal with a possible infringement of this Regulation if the subject matter concerns only an establishment in the Member State concerned or substantially affects data subjects only in the Member state concerned". As a result, given that the processing is undertaken by Google LLC, and concerns only a Greek data subject, the Greek DPA is competent to investigate the complaint. Furthermore, in a previous similar case the Greek DPA informed the Irish DPA that they intend to proceed with an examination of the complaint, and received a reply from the confirming the Greek DPA is competent.
The DPA also observed that, due to a range of factors, this case of of particular importance and general importance, and referred the case in its entirety to the plenary of the authority for determination, pursuant to Article 1(b) of the Authority's Rules of Procedure.
Comment[edit | edit source]
There appears to be an issue in the DPA's reasoning, in particular with regard to the specific provisions of the GDPR referenced in the decision. As is made clear in the decision, there is no main establishment in the EU for this particular processing, as the erasure requests are processed by Google LLC, based in the US. While the decision specifically cites Article 56(2) GDPR, the Greek DPA is competent to investigte this complaint pursuant to Article 55 GDPR. Article 56 applies where there is a main establishment in the EU, with Article 56(1) stating that the country where this main establishment is placed determines the competent supervisory authority, and Article 56(2) GDPR offering an exception to this rule, in cases where "the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State". In the case at hand, as stated, there is no main establishment so Article 56 GDPR is not relevant, and the competency of the Greek DPA should be based solely on Article 55 GDPR.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the Greek original. Please refer to the Greek original for more details.