What is the right to be forgotten anyway?
The right to be forgotten is a right that derives from the provisions of the RODO, or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
Article 17 of the DPA provides that any data subject has the right to request from the controller the immediate erasure of the data and it is the controller’s obligation to erase the data without undue delay.
When can you request deletion of data?
The data subject may request erasure if:
- personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
- the data subject has withdrawn the consent on which the processing is based and there is no other legal basis for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- personal data have been unlawfully processed;
- the personal data must be erased in order to comply with a legal obligation laid down by Union law or by the law of a Member State to which the controller is subject;
- personal data was collected in connection with the offering of information society services;
- in a situation when he/she finds that the data are no longer necessary for the purposes for which they were collected, the person has withdrawn the consent to their processing, he/she recognizes that the processing of the personal data is unlawful then he/she can demand from the controller to delete his/her data on the basis of the above mentioned Art. 17 RODO.
The burden of proving the above-mentioned prerequisites shall lie with the person requesting the erasure.
What’s next?
In case a person requests the controller to delete the data, the controller is obliged to verify whether any of the prerequisites indicated in Article 17 RODO apply and the person has the right to request the deletion of the indicated data.
In the course of the verification, the controller shall examine premises which may indicate that the data should in fact be deleted.
After the process is completed, the Administrator shall inform the data subject about the execution of the request. The Administrator may also determine that none of the aforementioned prerequisites apply and he/she does not have the relevant authorization to erase the data; in such case he/she shall refuse to erase the data.
If the controller is informed of a failure to comply with a request to this effect, the person whose data has not been deleted may apply to the supervisory authority for an order to comply with the request. If the authority decides that the request is justified, it should issue a decision ordering the controller to comply with this obligation.
If the request for deletion is complied with, such action shall terminate the proceedings in this regard.
Deadlines
When performing the above tasks, the controller shall, without undue delay – and in any event within one month of receiving the request – inform the data subject of the action taken in response to the request for erasure. Where necessary, that time limit may be extended by a further two months because of the complexity of the request or the number of requests. However, within the period of one month the controller shall inform the data subject about the extension of the time-limit and provide the reason for the delay.
Fees
As a general rule, the procedure for requesting erasure shall be free of charge, but the Controller may charge a reasonable fee if the requests are manifestly unreasonable or excessive. He shall then either take into account the costs of taking the requested action or refuse to act on the request.
This law raises many questions and problems.
Feel free to contact me.
17 listopada, 2022 Brak komentarzy