People whose personal data are registered will be given the “right to be forgotten” in the proposed European General Data Protection Regulation. What consequences does this right have for companies? What other rights do the persons whose data are recorded have?
Data subjects have recently been given ‘the right to be forgotten. This means that companies and institutions that process personal data must in certain cases delete them. This right was established in 2014 when the European Court, at the request of a Spaniard, obliged the search engine Google to remove the results referring to a forced sale of its assets in 1998 Click here.
Rights of data subjects
This right is further elaborated in the proposed European General Data Protection Regulation. Data subjects can request companies that process their personal data to:
- access to their personal data;
- rectification of this data;
- deletion of their personal data.
Current situation
Currently, data subjects have the right to have their personal data removed by companies and institutions if the processed personal data:
- be incorrect;
- appear to be incomplete;
- irrelevant for the purpose for which they were processed;
- processed in violation of the law.
New situation
On the basis of the new Regulation, the data subject is entitled to have companies and institutions ensure that data is erased and the further dissemination of data is prevented, if:
- there is no longer a need to keep the personal data processed in relation to the purposes for which they were collected or processed;
- the data subject withdraws his/her consent, and/or when the permitted storage period has expired;
- the data subject objects to the processing of personal data;
- the company or institution does not comply with the other provisions of the Regulation.
Information obligation to third parties
The directive not only obliges to delete the data concerned but also to prevent further dissemination. You are therefore obliged to inform third parties who process data provided by you that the data subject has requested that you delete any link or copy of that personal data.
Action
- Create a protocol for handling requests for information about and modification or deletion of the personal data you have collected.
- Have it checked whether this protocol complies with the upcoming European regulations?
More information
Russell Advocate will regularly inform you about the latest developments regarding this uniform European privacy legislation and its consequences for your company. Would you like to know more about the application of the new European General Data Protection Regulation? Or if you have questions about how you should organize your company in the context of the new privacy legislation, please contact:
Mr. rds. Rainier WL Russell ( reinier.russell@russell.nl ).
You will also find more information about the new European privacy rules in the other news flashes in this series:
- AVG: Fine of up to 100 million euros or more possible
- GDPR: Data Protection Officer
- GDPR: Data breach notification obligation
- AVG: Overview of new European regulations Right To Be Forgotten
Search results
It can be very annoying if when you search for your name in a search engine like Google, unpleasant results are shown. For example, these search results can hinder you in your job search.
Right to be forgotten
The Court of Justice of the European Union ruled on 13a May 2014 that in principle individuals have the right to be forgotten. This is also known as the right to be forgotten, the right to be forgotten, or the right to be forgotten. This means that people can ask search engines to remove search results from their name, in other words, to be disappointed.
Balance of interests
Whether that request should also be granted by the search engines depends on a large number of circumstances. The interests of the applicant must be weighed against the interests of the public to retain access to the information and freedom of expression. So it comes down to the details.
The majority of delete requests rejected
The majority of Dutch requests for removal are rejected. Three-quarters of the rejected requests are rejected on substantive or legal grounds. Almost a quarter of the removal requests are rejected because the requester does not provide enough information.
Legal services Privacy Point
Privacy Punt assesses the feasibility of your business on the basis of our traffic light system. Our starting point is that we offer you a ‘no cure, no pay’ rate. This means that you only incur costs if Privacy Point achieves a positive result for you. We then draw up a factual and legally substantiated removal request.
After the request
If the removal request is unexpectedly rejected, we can ask for mediation by the Dutch Data Protection Authority. If there are grounds for doing so, we can then submit your request to a disputes committee or the court.
Contact
Do you want to make use of the right to forgetting? Please contact Privacy Point. Was a previous request rejected? Ask Privacy Point for a second opinion. We then check whether there are any leads for submitting a new request, for example by substantiating this request in more detail or differently Click here.