Article 17
Right to erasure (‘right to be forgotten’)
(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
Regulation
Art. 17 1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing; (c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2); (d) the personal data have been unlawfully processed; (e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; (f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1). 2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data. 3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary: (a) for exercising the right of freedom of ex (b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3); (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (e) for the establishment, exercise or defence of legal claims. |
Directive
Art. 12 Member States shall guarantee every data subject the right to obtain from the controller: (a) without constraint at reasonable intervals and without excessive delay or expense: - confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed, - communication to him in an intelligible form of the data undergoing processing and of any available information as to their source, - knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1); (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; (c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort. |
Spain
Article 16.- Right of rectification or cancellation.- Organic Law 15/1999 on the Protection of Personal Data.- The controller shall be obliged to implement the right of rectification or cancellation of the data subject within a period of ten days. 2. Rectification or cancellation shall apply to data whose processing is not in accordance with the provisions of this Law and, in particular, when such data are incorrect or incomplete. 3. Cancellation shall lead to the data being blocked and maintained solely at the disposal of the public administrations, judges and courts, for the purpose of determining any liability arising from the processing, and for the duration of such liability. On expiry of such liability, they shall be deleted. 4. If the data rectified or cancelled have previously been communicated, the controller shall notify the person to whom they have been communicated of the rectification or cancellation. If the processing is being maintained by that person, he shall also cancel the data. 5. Personal data shall be kept for the periods set out in the relevant provisions or, where applicable, in the contractual relations between the person or body responsible for the processing ("the controller") and the data subject.
Article 17.- Objection, access, rectification or cancellation procedure.- Organic Law 15/1999 on the Protection of Personal Data.- 1. The procedures for exercising the right of objection, access, rectification and cancellation shall be established by regulation. 2. No consideration shall be demanded for the exercise of the rights of objection, access, rectification or cancellation.
Article 18.- Supervision of rights.- Organic Law 15/1999 on the Protection of Personal Data.- 1. Acts contrary to the provisions of this Law may be the subject of complaints by data subjects to the Data Protection Agency in the form laid down by regulation. 2. A data subject who is denied, either wholly or partially, the exercise of the rights of objection, access, rectification or cancellation, may bring this to the attention of the Data Protection Agency or, where applicable, to the competent body in each Autonomous Community, which must decide on the admissibility or inadmissibility of the denial. 3. The maximum period within which a decision on the ownership of data must be reached shall be six months. 4. An appeal may be lodged against the decisions of the Data Protection Agency.
Article 31.- Rights of Rectification and Erasure.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. The right of rectification is the right of the data subject to have inaccurate or incomplete data amended. 2. The exercise of the right of erasure shall give rise to the deletion of data that is inadequate or excessive, without prejudice to the duty to blocking pursuant to this Regulation. Should the data subject call for the exercise of the right of erasure to revoke previously given consent, the provisions of Organic Law 15/1999, of 13 December and those herein shall be applied.
Article 32.- Exercising the Rights of Rectification and Erasure.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. The request for rectification shall indicate to which data it refers and the correction to be made and shall include the documentation justifying the request. In the request for erasure, the data subject shall indicate to which data it refers, providing the documentation justifying the request, if appropriate. 2. The data controller shall settle the request for rectification or erasure within ten days from receipt of the request. On the expiry of this time limit if the request has not been expressly answered, the data subject may file a claim as provided in Article 18 of Organic Law 15/1999, of 13 December. Should the data controller not hold data subject’s personal data, he shall equally communicate this within the same period of time. 3. If the rectified or erased data has been previously assigned, the data controller shall communicate the rectification or erasure made to the recipient, within the same period of time, so that he may, also within ten days starting from receipt of such communication, proceed to similarly rectify or erase the data. The rectification or erasure by the recipient shall not require any communication to the data subject, without prejudice to the exercise of the rights by the data subjects recognised in Organic Law 15/1999, of 13 December.
Article 33.- Denial of the Rights of Rectification and Erasure.- Royal Decree 1720/2007 Implementing the Organic Law 15/1999.- 1. Erasure shall be denied when the personal data must be stored for the periods of time provided in the applicable provisions or, if appropriate, in the contractual relations between the data controller and the data subject which justified the processing of the data. 2. The rights of rectification or erasure may also be denied if thus provided by law or a directly applicable community rule of law, or when these prevent the data controller from disclosing to data subjects the processing of the data to which the access refers. 3. In any case, the data controller shall inform the data subject of his right to obtain the protection of the Spanish Data Protection Agency or, if appropriate, the supervisory authorities of the Autonomous Communities, pursuant to the provisions of Article 18 of Organic Law 15/1999, of 13 December. |