Blogs from lawyers
in Amsterdam

The right to oblivion under the GDPR

The right to oblivion under the GDPR

On May 25, 2018, the General Data Protection Regulation (GDPR) will come into force. From that moment the same privacy legislation will be applicable in all member states of the European Union (EU). The Dutch Protection of Personal Data and Privacy Law (Wet bescherming persoonsgegevens) will then no longer be in force. The GDPR will bring change. Organizations will have more responsibilities and fines may be incurred up to EUR 20,000,000.-.

The right to oblivion

According to article 17 GDPR subjects have the right to oblivion. According to article 17 GDPR organizations are in some cases obliged to remove personal data at a subjects request.

Conditions for the right to oblivion

The right to oblivion is not endless. Hereunder we will discuss a few situations in which the right to oblivion is applicable. According to the GDPR the right to oblivion is applicable in case the organization doesn’t need the personal data any longer for the aims wherefore het organization collected this personal data.

The second situation is the situation wherein the subject has given its approval in an earlier stage to the organization for the use of its data, but now withdraws its approval.

In the third place is the situation wherein the subject is making an objection against the processing of its personal data. According to article 21 GDPR there is an absolute right of objection against direct marketing. According to this article in de GDPR there is also a personal right of objection if the rights of the subject outweighs the interest of the organization to process the personal data of the subject.

The unlawful processing

The next ground of a right to oblivion is the unlawful processing. If the organization processes personal data unlawfully, i.e. if there is no legal ground for the process, the subject has a right to oblivion. Furthermore, an organization has the obligation to delete the personal data after an amount of time. Furthermore, children younger than 16 years have the right to oblivion if their data has been collected by an app or website.

When is there no right to oblivion?

According to the GDPR there are some situations wherein there is no right to oblivion. For instance when the processing is necessary to practice the right of freedom of speech and information, the organization processes the data to meet its statutory obligations, the organization is processing data for tasks carried out in the public interest or public authority, the organization processes data for a task carried out in the public interest and public health, the organization has to keep records in the public interest and in the situation that the data is necessary for legal action.

Furthermore, in article 23 of the GDPR a few general exceptions are included on the rights of the subject. Article 23 GDPR gives organizations in special circumstances the opportunity to disregard subjects requests. The organization will then have to make a balance of interests from which they can conclude that their interest (the rights and freedoms of others) outweigh the privacy right of the subject. For instance, a subject should not be able to appeal to the right to oblivion to erase traces of criminal behavior.

What should my organization do when a subject requests to remove its data?

In principle, if the subject asks to its right to oblivion, the organization should remove its data promptly, or at least within a month. In the situation that the request of the subject is very complicated, the organization will be given two months extra time. The organization is then obligated to let the subject know that its request will take longer.

If the subject requests your organization by e-mail to remove its data, the organization should respond in principle by e-mail as well. In principle, the request has to be free of charge for the subject. Only in the event that the organization can prove that the request is unfounded or excessive, a reasonable fee may be incurred. The request may then also be denied.

Inform third parties

In the event the organization has distributed the data to third parties, the organization has the obligation to inform third parties that the data has been (or has to be) erased. The organization should inform the third party that every copy and/or link to the personal data should be erased. For instance when an organization is publishing on a website, search engines have to be informed. Therefore, you may have your webpage indexed from the bottom up. The erased personal data will then no longer appear in search results of the search engine. The subject may ask which third parties your organization has informed. The organization is then also obligated to inform the subject hereabout. Keep in mind that the right to oblivion is also applicable on backups.

Privacydesk attorneys

Would you like to have any more information concerning the GDPR? Does your organization need to comply with right to oblivion requests? You can ask all your questions concerning the GDPR to Lisa Jie Sam Foek, one of the privacydesk attorneys.

LAW - associated firm

Together with a number of international law firms outside
The Netherlands, Blenheim is member of Lawyers Associated Worldwide.

read more

Contact form

Categories

Movie

Contact form