In a judgment of 13 May 2014 in the Google Spain v AEPD case, the Court of Justice of the European Union had decided on the right of European citizens to ask search engines to “deindex” certain information concerning them, under certain conditions. In particular, the Court stated that this “right to be forgotten” was only valid for judicial information concerning a “private” person (as opposed to a “public” person). Although restricted, this newly created right has had much publicity and public interest.
This right to be forgotten, currently existing only “digitally”, is very soon to be extended by the applicability of Article 17 of the GDPR as of 25 May 2018.
This article specifies that the data subject has the right to obtain from the data controller, as soon as possible, the erasure of personal data concerning him/her.
We have listed hereunder some practical questions related to this new provision:
In which case does this right to be forgotten or erasure apply?
This right to erasure is certainly not an absolute right. Article 17 of the GDPR provides six cases in which the data subject may request the erasure of his/her personal data:
- when the personal data concerned are no longer necessary for the purposes for which they were collected or otherwise processed by the controller;
- when the data subject withdraws his/her consent to the processing of the data and there is no other legal basis for the processing (e.g. sensitive data);
- when the data subject objects to the processing necessary for the performance of a public interest mission or arising from the exercise of the public authority of which the controller is responsible or when he or she objects to the processing which is necessary for the legitimate interest pursued by the controller or a third party, and there is no compelling legitimate reason for the processing (in accordance with Article 21.1 of the GDPR); or when the data subject objects to the processing of his or her data for prospecting or profiling purposes, to the extent that it is related to such prospecting (in accordance with Article 21.2 of the GDPR);
- when the personal data have been the subject of unlawful processing;
- when the personal data must be erased to comply with a legal obligation provided for by European Union law or the law of the Member State to which the controller is subject;
- when the personal data have been collected as part of an information society offering services to children (in accordance with Article 8 of the GDPR) and therefore are related to a minor.
Although this list is limitative, it should be noted that it covers a large number of cases. Moreover, the right of opposition, in which case the erasure may be requested (point 3 above), is also extended by the GDPR (“The person concerned has the right to oppose at any time, for reasons relating to its particular situation, to the processing of personal data concerning him/her based on [the execution of a public interest mission or arising from the exercise of public authority of which the controller is responsible, or legitimate interests pursued by the controller or a third party], including profiling based on these [situations]”).
However, it should be emphasised that this right to erasure or to be forgotten will lose precedence in a few specific cases where a higher interest is at stake, such as:
- the exercise of the right to freedom of expression and information;
- the respect of a legal obligation that requires the treatment
- a public interest reason in the field of public health;
- archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes, to the extent that the right to erasure or to be forgotten is likely to make it impossible or to seriously compromise the realisation of the objectives of the processing.
What are the specific obligations of the controller?
When the data subject requests, in one of the abovementioned cases, the erasure of his personal data, the data controller shall be held to delete the personal data involved “as soon as possible” and in any case within a maximum of one month after the request.
If the controller has made the personal data involved public and finds himself in a situation where he is obliged to erase them, he must take “reasonable measures, including technical ones”, taking into account the available technologies and the costs of implementation, to inform the controllers processing such personal data that the data subject has requested the erasure of any link to such personal data, any copies thereof, or any reproduction.
In accordance with Recital 59 of the GDPR, if the controller does not intend to follow up on such a request for deletion of the data subject, he must give reasons for his refusal.
Article 13 of the GDPR states that the data controller must henceforth in particular indicate to the data subject “the retention period of the personal data or, where this is not possible, the criteria used to determine this duration”, which is also likely to reinforce the idea of the right to erasure of certain information after the expiry of a certain period.
What are the applicable sanctions?
These are not just principles, but also obligations since the GDPR also allows each supervisory authority to impose administrative fines in case of non-compliance with the provisions it imposes. The amount depends on the provisions violated.
Regarding the “rights which can be exercised by the data subjects”, including the right to be erased or forgotten, the controller may, in the event of non-compliance with the rules set out above, be liable to an administrative fine corresponding to the higher of the two amounts: a fine of up to EUR 20 million or, in the case of a company, an amount corresponding to 4% of the total annual global turnover for the previous year.
We advise you to already think about this, and if necessary to adapt the internal processes of personal data processing and to make sure to:
- put in place mechanisms to verify that personal data are not retained more than necessary in the context of a “data retention policy”;
- provide data subjects with clear information and practical ways to implement their right to be forgotten or erased (e.g., how to make the request with the controller). This can be done within the framework of the obligation of information (in practice, by a statement or a notice of confidentiality);
- put in place a system to control the disclosure of personal data to other data controllers;
- set up internal regulations for the employees who are responsible for the processing of personal data (HR department, marketing, etc.), explaining the rules and procedures to be followed when data subjects invoke the right to erasure;
- implement a procedure to enable the controller to inform the other controllers, efficiently and in a timely manner, of the erasure request made by the data subject and to ensure the effective deletion of the links to these data or copies of these.