Privacy: The right to be forgotten

Any person whose data is processed is provided with “the right to be forgotten” in the proposed European General Data Protection Regulation. What are the consequences of this right for businesses? What other rights do persons have whose data have been processed?

Data subjects have recently been given “the right to be forgotten”. This means companies and institutions processing data must delete data in certain cases. This right was stipulated in 2014, when the European Court forced the search engine Google, on request of a Spanish citizen, to erase search results referring to a forced sale of his property in 1998.

Rights of those concerned

In the proposed European General Data Protection Regulation this right is further developed. Persons concerned can request companies processing their data to:

• provide access to their data;
• rectify these data;
• delete the data.

Current situation

Currently, data subjects have the right to have their data deleted by companies and institutions if the personal data processed are:

• inaccurate;
• incomplete;
• not in relation to the purposes for which the data was processed;
• processed in breach of the law.

New situation

Pursuant to the new Regulation the person in question has the right that companies and institutions delete the data and that further spread of the data will not occur if:

• it is no longer required to store the processed personal data for the purpose they used to be collected or processed for;
• the person in question withdraws his/her consent, and/or when the period allowed for data storage has passed;
• the person in question lodges a complaint against the processing of personal data;
• the company or institution does not comply with the other provisions of the Regulation.

Information obligation towards third parties

The regulation forces not only to delete the data in question but also to prevent further spread thereof. Therefore, you are obliged to inform third parties who process data provided by you of the person in question’s request to delete any link or copy of the personal data.

Action

• Create a protocol for handling requests about information, modification or deletion of personal data collected by you.
• Make sure to check whether this protocol complies with the upcoming European regulation.

More information

Russell Advocaten will inform you regularly on the latest developments regarding the uniform European Data Protection legislation and the consequences for your business. Would you like to know more about the application of the European General Data Protection Regulation or do you have any questions about how to organize your business with regard to the new European General Data Protection Regulation? Please contact: