Privacy: the right to be forgot

You may not notice much of privacy legislation and its changes during your work. Yet someone who deals with personnel matters has to deal with it on a daily basis. Just think of the information you store in a (digital) personnel file, information you collect or provide about an applicant, data about absenteeism, an e-mail to a colleague or external advisor about one of your employees. In other words: in practice you probably perform many activity without realizing that data that can be trace back to individual fall under the scope of privacy legislation. And that means that processing* of personal data is not just allow.

Also read: derecho al olvido

Changes in privacy legislation

On January 1, 2016, a number of change have already made to the privacy legislation. Since then, for example, you are oblige to report every ‘data breach’ to the Dutch Data Protection Authority under penalty of a fine. Other important changes will take effect next year. On May 25, 2018, the General Data Protection Regulation (GDPR), adopted by the European Parliament on April 26, 2016, will have direct effect within all Member States of the European Union. This European regulation protects natural persons against the processing of their personal data and the free movement of such data. The ‘old’ European Directive 95/45/EC (“Privacy Directive”) and the Personal Data Protection Act (WFP) based on it are no longer in force from then on.

What is the right to be forgot?

The right to be forgot mean that the person who so request has the right to have the personal data concerning him or her delete without undue delay. This is possible in a number of situation. You can think of the situation where the personal data are no longer necessary for the purpose for which they were collect. Take, for example, the documents in a personnel file, for which the legal retention period has expired. The employee can request you to destroy it. This also apply to personal data that unlawfully process, for example the inclusion of someone’s race in a personnel file. This information does not fit within the purpose of a personnel file and may not be process therein without permission.

Passing on request to be forgot is mandatory

Does the controller** receive a request for oblivion and is it data that he in turn has passed on to other parties? In that case, when disseminating personal data, the controller must, within reasonable and available technology, take measures to inform the third parties to which the personal data has been disseminate of the request for erasure. This means that if you have made information public on the internet, you must remove all links. If other parties now also use the data that you have to delete, you are oblige to inform those part that the data delete. At the request of the applicant, you may also be require to list the part you have inform about this.

Also read: sharenting que es

What else should you pay attention to?

  • You must comply with a request for deletion within one month. May only allow two months for this if it concerns a very complex request. You must notify the applicant of this.
  • If the applicant has contacted you via digital means, you must in principle also respond via that route, unless the applicant has asked you otherwise.
  • Refusal of the request on oblivion is only possible if the request is unfound or if someone submit an excessive number of request to you.
  • You are not allow to charge any costs for a regular request on oblivion. If you receive many requests from the same person, you may send an invoice.
  • The applicant has the option of submitting a complaint against the controller to the Dutch Data Protection Authority, which is authorize to impose a fine. Apart from that, the applicant can also apply to the court.

A more limit right to be forgot already exist

The right to be forgot is not new. The same right is also include in Article 36 of the WFP and in the Privacy Directive. However, the right to be forgot was limit to objectively incorrect data, incomplete data or irrelevant data. On May 13, 2014, the European Court of Justice ruled in a case brought by a Spaniard. Who had demanded that Google stop his name from appearing in Google’s search results. When typing his name the first hit on Google was the auction of the man’s.

Home in connection with social security debts. The European Court ruled that the activity of a search engine. Such as Google must be regard as processing personal data. And therefore fall under the scope of the Privacy Directive. That meant that Google could be held to remove link to web page. At the Spaniard’s request that appear by typing someone’s name. This applies even if the publications on those web pages are lawful.

Also read: mario costeja gonzález

Make your organization GDPR-proof!

You have until May 25, 2018 to make your organization GDPR-proof. With regard to the right to be forgot, this means, among other thing:

  • Be aware(more) of the lawful processing of personal data
  • Anticipate (better) requests for oblivion by registering the place. Where personal data is process within your organization and with which authorities/institution it is share.

Processing: an operation or a set of operations relating to personal data or a set of personal data. Whether or not carried out by automated means such as collecting recording organizing structuring storing updating or changing retrieving consulting. Using disclosure by transmission distribution or otherwise making available alignment or combination blocking erasure or destruction of data.

** Controller: a natural or legal person a public authority, a service or other body. Which alone or together with others determines the purpose and means of the processing of personal data.