The GDPR
Article 17 of Regulation grants a right to be forgotten and to erasure to anyone concerned by personal data processing.
The major contribution of this provision is to establish and to set the conditions for exercising the right to be forgotten, including the obligation for the controller who made public the personal data to inform the third parties of the request of the data subject to erase any links to such data or copies or reproductions that have been made.
Thus, pursuant to Article 17 of the Regulation, the erasure should be obtained without delay when any of the following grounds applies:
- where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- where the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
- where the data subject objects to the processing pursuant to Article 21 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);
- where the personal data have been unlawfully processed;
- where the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
- where the personal data have been collected in relation to the offer of information society services relating to children referred to in Article 8 (1).
Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to be forgotten and to erasure will however not be exercised where the processing is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
The Directive
Presented with great fanfare as the major innovation of the Regulation, the right to erasure, however, was already contained, at least in embryo in the Directive, in its Article 12, paragraph b).
We refer here to the important judgment delivered by the Grand Chamber of the Court of Justice of the European Union of 13 May 2014 ((CJEU, Google Spain SL c. Costeja, 13 May 2014, C-121/12). After considering that Google is subject to the provisions of Directive 95/46/EC (or the transposition law) and considered to be a data controller, the Court found that the right to rectification and to object enshrined in those provisions permit a person to remove links to data.
The requests under Articles 12 (b) (rectification) and 14, first paragraph, (a) (object) of the Directive could be made directly by the data subject to the controller who must duly consider the grounds thereof and, if necessary, terminate the processing of the data in question. When the controller fails to respond to these requests, the data subject can notify supervisory authority or judicial authority to carry out the necessary checks and order the controller to perform specific actions accordingly.
Potential issues
Both under the Directive and under the aegis of the Regulation, neither the general right to object, nor the right to be forgotten are absolute.
It is certain that the specific circumstanceswill be decisive and will make the legitimate requests to erase more predictable. The problem will result rather from implementing exceptionsand weighing up competing interests, the responsibility for which will rest on the controller.
The ubiquitous nature of the Internet and the possibility of unlimited replications of the information on the Web require further the data subject to endlessly repeat their request for erasure to the search engines, once new websites containing such information appear. This time-consuming exercise will discourage data subjects. This situation is not likely to guarantee to the citizen a real mastery of their personal data.
Will the obligation on the controller to inform the other controllers processing the data that are subject to the erasure request simplify the task of the data subjects? We will see in practice and in view of the limits permitted by the text itself (at what point and does this obligation become unreasonable?).
European Union
European data protection board (EDPB)
Guidelines on the criteria of the Right to be Forgotten in the search engines cases under the GDPR - 5/2019 (7 July 2020)
1. Following the Costeja judgment of the Court of Justice of the European Union (“CJEU”) of the 13th of May 20142 , a data subject may request the provider of an online search engine (“search engine provider”) , to erase one or more links to web pages from the list of results displayed following a search made on the basis of his or her name.
2. According to Google’s Transparency Report4 , the percentage of URLs that Google has not delisted has not increased over the past 5 years since that judgement. However, further to the CJEU judgement, data subjects seem to be more aware of their right to lodge a complaint for refusals of their delisting requests since Supervisory Authorities have observed an increase in the number of complaints regarding the refusal by search engine providers to delist links.
3. The European Data Protection Board (the “EDPB”), in accordance with its Action Plan, is developing guidelines in respect of Article 17 of the General Data Protection Regulation (“GDPR”). Until those guidelines are finalised, Supervisory Authorities must continue to handle and investigate, to the extent possible, complaints from data subjects and in a timely manner as possible.
4. Accordingly, this document aims to interpret the Right to be Forgotten in the search engines cases in light of the provisions of Article 17 GDPR (the “Right to request delisting”). Indeed, the Right to be Forgotten has been especially enacted under Article 17 GDPR to take into account the Right to request delisting established in the Costeja judgement.
5. Nonetheless, as under the Directive 95/46/EC of 24 October 1995 (the “Directive”) and as stated by the CJEU in its aforementioned Costeja judgement5 , the Right to request delisting implies two rights (Right to Object and Right to Erasure GDPR). Indeed, the application of Article 21 is expressly foreseen as the third ground for the Right to erasure. As a result, both Article 17 and Article 21 GDPR can serve as a legal basis for delisting requests. The right to object and the right to obtain erasure were already granted under the Directive. Nonetheless, as it will be addressed, the wording of the GDPR requires an adjustment of the interpretation of these rights.
6. As a preliminary point, it should be noted that, while Article 17 GDPR is applicable to all data controllers, this paper focuses solely on processing by search engine providers and delisting requests submitted by data subjects.
7. There are some considerations when applying Article 17 GDPR in respect of a search engine provider’s data processing. In this regard, it is necessary to state that the processing of personal data carried out in the context of the activity of the search engine provider must be distinguished from processing that is carried out by the publishers of the third-party websites such as media outlets that provide online newspaper content .
8. If a data subject obtains the delisting of a particular content, this will result in the deletion of that specific content from the list of search results concerning the data subject when the search is, as a main rule, based on his or her name. This content will however still be available using other search criteria.
9. Delisting requests do not result in the personal data being completely erased. Indeed, the personal data will neither be erased from the source website nor from the index and cache of the search engine provider. For example, a data subject may seek the delisting of personal data from a search engine’s index which have originated from a media outlet, such as a newspaper article. In this instance, the link to the personal data may be delisted from the search engine’s index; however, the article in question will still remain within the control of the media outlet and may remain publicly available and accessible, even if no longer visible in search results based on queries that include in principle the data subject’s name.
10. Nevertheless, search engine providers are not exempt in a general manner from the duty to fully erase. In some exceptional cases, they will need to carry out actual and full erasure in their indexes or caches. For example, in the event that search engine providers would stop respecting robots.txt requests implemented by the original publisher, they would actually have a duty to fully erase the URL to the content, as opposed to delist which is mainly based on data subject’s name.
11. This paper is divided into two topics. The first topic concerns the grounds a data subject can rely on for a delisting request sent to a search engine provider pursuant to Article 17.1 GDPR. The second topic concerns the exceptions to the Right to request delisting according to Article 17.3 GDPR. This paper will be supplemented by an appendix dedicated to the assessment of criteria for handling complaints for refusals of delisting.
12. This paper does not address Article 17.27 GDPR. Indeed, this Article requires data controllers who have made the personal data public to inform controllers who have then reused those personal data through links, copies or replications. Such obligation of information does not apply to search engine providers when they find information containing personal data published or placed on the internet by third parties, index it automatically, store it temporarily and make it available to internet users according to a particular order of preference . In addition, it does not require search engine providers, who have received a data subject’s delisting request, to inform the third party which made public that information on the internet. Such obligation seeks to give greater responsibility to original controllers and try to prevent from multiplying data subjects’ initiatives. In this regard, the statement by the Article 29 Working Party, saying that search engine providers “should not as a general practice inform the webmasters of the pages affected by de-listing of the fact that some webpages cannot be acceded from the search engine in response to specific queries” because “such communication has no legal basis under EU data protection law remains valid. It is also planned to have separate specific guidelines in respect of Article 17.2 GDPR.
Link
Retour au sommaire
Article 29 Working Party
Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 - wp251rev.01 (6 February 2018)
(Endorsed by the EDPB)
The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.
Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.
Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.
The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.
Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:
- increased efficiencies; and
- resource savings.
They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.
However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.
These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.
Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.
The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.
This document covers:
- Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
- General provisions on profiling and automated decision-making – Chapter III
- Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
- Children and profiling – Chapter V
- Data protection impact assessments and data protection officers– Chapter VI
The Annexes provide best practice recommendations, building on the experience gained in EU Member States.
The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.
Link
Retour au sommaire
European Union
CJEU caselaw
C-553/07 (7 May 2009) - Rijkeboer
Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.
Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.
Opinion of Advocate general
Judgment of the Court
C-486/12 (12 December 2013) - X
1. Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding the levying of fees in respect of the communication of personal data by a public authority.
2. Article 12(a) of Directive 95/46 must be interpreted as meaning that, in order to ensure that fees levied when the right to access personal data is exercised are not excessive for the purposes of that provision, the level of those fees must not exceed the cost of communicating such data. It is for the national court to carry out any verifications necessary, having regard to the circumstances of the case.
Judgment of the Court
C-131/12 (13 May 2014) - Google Spain and Google
1. Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).
2. Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.
3. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.
4. Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.
Opinion of Advocate general
Judgment of the Court
C-141/12 ; C-372/12 (17 July 2014) - YS e.a.
1. Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.
2. Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.
3. Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.
Opinion of Advocate general
Judgment of the Court
C-398/15 (9 March 2017) - Manni
Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.
Opinion of Advocate general
Judgment of the Court
C‑507/17 (24 september 2019) - Google (Territorial scope of de-referencing)
On a proper construction of Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and of Article 17(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 (General Data Protection Regulation), where a search engine operator grants a request for de-referencing pursuant to those provisions, that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States, using, where necessary, measures which, while meeting the legal requirements, effectively prevent or, at the very least, seriously discourage an internet user conducting a search from one of the Member States on the basis of a data subject’s name from gaining access, via the list of results displayed following that search, to the links which are the subject of that request.
Opinion of Advocate general
Judgment of the Court
C-136/17 (24 September 2019)
1. The provisions of Article 8(1) and (5) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.
2. The provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the operator of a search engine is in principle required by those provisions, subject to the exceptions provided for by the directive, to accede to requests for de-referencing in relation to links to web pages containing personal data falling within the special categories referred to by those provisions. Article 8(2)(e) of Directive 95/46 must be interpreted as meaning that, pursuant to that article, such an operator may refuse to accede to a request for de-referencing if he establishes that the links at issue lead to content comprising personal data falling within the special categories referred to in Article 8(1) but whose processing is covered by the exception in Article 8(2)(e) of the directive, provided that the processing satisfies all the other conditions of lawfulness laid down by the directive, and unless the data subject has the right under Article 14(a) of the directive to object to that processing on compelling legitimate grounds relating to his particular situation. The provisions of Directive 95/46 must be interpreted as meaning that, where the operator of a search engine has received a request for de-referencing relating to a link to a web page on which personal data falling within the special categories referred to in Article 8(1) or (5) of Directive 95/46 are published, the operator must, on the basis of all the relevant factors of the particular case and taking into account the seriousness of the interference with the data subject’s fundamental rights to privacy and protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, ascertain, having regard to the reasons of substantial public interest referred to in Article 8(4) of the directive and in compliance with the conditions laid down in that provision, whether the inclusion of that link in the list of results displayed following a search on the basis of the data subject’s name is strictly necessary for protecting the freedom of information of internet users potentially interested in accessing that web page by means of such a search, protected by Article 11 of the Charter.
3. The provisions of Directive 95/46 must be interpreted as meaning that
– first, information relating to legal proceedings brought against an individual and, as the case may be, information relating to an ensuing conviction are data relating to ‘offences’ and ‘criminal convictions’ within the meaning of Article 8(5) of Directive 95/46, and
– second, the operator of a search engine is required to accede to a request for de-referencing relating to links to web pages displaying such information, where the information relates to an earlier stage of the legal proceedings in question and, having regard to the progress of the proceedings, no longer corresponds to the current situation, in so far as it is established in the verification of the reasons of substantial public interest referred to in Article 8(4) of Directive 95/46 that, in the light of all the circumstances of the case, the data subject’s fundamental rights guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union override the rights of potentially interested internet users protected by Article 11 of the Charter.
Judgment of the court
Opinion of advocate general
C-129/21, (27 october 2022) Proximus (Annuaires électroniques publics)
2) L’article 17 du règlement 2016/679
doit être interprété en ce sens que :
la demande d’un abonné tendant à la suppression de ses données à caractère personnel des annuaires ainsi que des services de renseignements téléphoniques accessibles au public constitue un recours au « droit à l’effacement », au sens de cet article.
3) L’article 5, paragraphe 2, et l’article 24 du règlement 2016/679
doivent être interprétés en ce sens que :
une autorité de contrôle nationale peut exiger que le fournisseur d’annuaires et de services de renseignements téléphoniques accessibles au public, en tant que responsable du traitement, prenne les mesures techniques et organisationnelles appropriées pour informer les responsables du traitement tiers, à savoir l’opérateur de services téléphoniques qui lui a communiqué les données à caractère personnel de son abonné ainsi que les autres fournisseurs d’annuaires et de services de renseignements téléphoniques accessibles au public auxquels il a fourni de telles données, du retrait du consentement de cet abonné.
4) L’article 17, paragraphe 2, du règlement 2016/679
doit être interprété en ce sens que :
il ne s’oppose pas à ce qu’une autorité de contrôle nationale ordonne à un fournisseur d’annuaires et de services de renseignements téléphoniques accessibles au public, auquel l’abonné d’un opérateur de services téléphoniques a demandé de ne plus publier les données à caractère personnel le concernant, de prendre des « mesures raisonnables », au sens de cette disposition, afin d’informer les fournisseurs de moteurs de recherche de cette demande d’effacement des données.
Arret de la cour (fr only)
Conclusions de l'avocat général (fr only)
C-460/20, 8 décember 2022, Google
1. Article 17(3)(a) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation),
must be interpreted as meaning that within the context of the weighing-up exercise which is to be undertaken between the rights referred to in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, on the one hand, and those referred to in Article 11 of the Charter of Fundamental Rights, on the other hand, for the purposes of examining a request for de-referencing made to the operator of a search engine seeking the removal of a link to content containing claims which the person who submitted the request regards as inaccurate from the list of search results, that de-referencing is not subject to the condition that the question of the accuracy of the referenced content has been resolved, at least provisionally, in an action brought by that person against the content provider.
2. Article 12(b) and point (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, as well as Article 17(3)(a) of Regulation 2016/679
must be interpreted as meaning that in the context of the weighing-up exercise which is to be undertaken between the rights referred to in Articles 7 and 8 of the Charter of Fundamental Rights, on the one hand, and those referred to in Article 11 of the Charter of Fundamental Rights, on the other hand, for the purposes of examining a request for de-referencing made to the operator of a search engine seeking the removal from the results of an image search carried out on the basis of the name of a natural person of photographs displayed in the form of thumbnails representing that person, account must be taken of the informative value of those photographs regardless of the context of their publication on the internet page from which they are taken, but taking into consideration any text element which accompanies directly the display of those photographs in the search results and which is capable of casting light on the informative value of those photographs.
Judgment of the court
Conclusions of the advocate general
C-60/22 (4 may 2023) - Bundesrepublik Deutschland
1. Article 17(1)(d) and Article 18(1)(b) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that failure by the controller to comply with the obligations laid down in Articles 26 and 30 of that regulation, which relate, respectively, to the conclusion of an arrangement determining joint responsibility for processing and to the maintenance of a record of processing activities, does not constitute unlawful processing conferring on the data subject a right to erasure or restriction of processing, where such a failure does not, as such, entail an infringement by the controller of the principle of ‘accountability’ as set out in Article 5(2) of that regulation, read in conjunction with Article 5(1)(a) and the first subparagraph of Article 6(1) thereof.
2. EU law must be interpreted as meaning that, where the controller of personal data has failed to comply with its obligations under Articles 26 or 30 of Regulation 2016/679, the lawfulness of the taking into account of such data by a national court is not subject to the data subject’s consent.
Judgment of the court
C‑26/22 et C‑64/22, UF (C‑26/22), AB (C‑64/22) v. Land Hessen (7 December 2023)
1. Article 78(1) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
must be interpreted as meaning that a decision on a complaint adopted by a supervisory authority is subject to full judicial review.
2. Article 5(1)(a) of Regulation 2016/679, read in conjunction with point (f) of the first subparagraph of Article 6(1) of that regulation,
must be interpreted as precluding a practice of private credit information agencies consisting in retaining, in their own databases, information from a public register relating to the grant of a discharge from remaining debts in favour of natural persons in order to be able to provide information on the solvency of those persons, for a period extending beyond that during which the data are kept in the public register.
3. Article 17(1)(c) of Regulation 2016/679
must be interpreted as meaning that the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where he or she objects to the processing pursuant to Article 21(1) of that regulation and there are no overriding legitimate grounds capable of justifying, exceptionally, the processing in question.
4. Article 17(1)(d) of Regulation 2016/679
must be interpreted as meaning that the controller is required to erase unlawfully processed personal data as soon as possible.
Decision of the court
Opinion of the advocate general
C‑118/22, Direktor na Glavna direktsia "Natsionalna politsia" pri MVR - Sofia (30 January 2024)
Article 4(1)(c) and (e) of Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, read in conjunction with Articles 5 and 10, Article 13(2)(b) and Article 16(2) and (3) thereof, and in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union,
must be interpreted as precluding national legislation which provides for the storage, by police authorities, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, of personal data, including biometric and genetic data, concerning persons who have been convicted by final judgment of an intentional criminal offence subject to public prosecution, until the death of the data subject, even in the event of his or her legal rehabilitation, without imposing on the data controller the obligation to review periodically whether that storage is still necessary, nor granting that data subject the right to have those data erased, where their storage is no longer necessary for the purposes for which they are processed or, where appropriate, to have the processing of those data restricted.
Decision of the court
Opinion of the advocate general
Retour au sommaire
Retour au sommaire