by Dr Edric Micallef Figallo – Associate
The following is the eighth article in a series of articles delving into the GDPR, intended to give an overview of the main aspects of the provisions it introduced, retained and updated in the data privacy law regime of the European Union, and its legislative implementation in Malta. The previous article may be viewed here.
In continuing from where we left off in the previous part, we shall start dealing with the right to erasure applicable according to Article 17(1)(c) GDPR, which provides that:
“1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2).”
In a previous part to this article we have already made reference to the “without undue delay” requirement, which applies to the right to erasure generally. However, different grounds for the right to erasure might require different considerations, affecting the degree of delay for the data subject.
Of interest for this particular ground is that on the 7th July 2020 the European Data Protection Board (EDPB) has adopted guidelines entitled Guidelines 5/2019 on the criteria of the Right to be Forgotten in the search engines cases under the GDPR (part 1). These guidelines also refer to previous, albeit applicable, guidelines by the Article 29 Working Party entitled Guidelines on the implementation of the Court of Justice of the European Union judgment on “Google Spain and inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, WP 225, 26 November 2014. While both guidelines refer to internet search engines specifically, the principles contained are generally applicable when it comes to the ground under Article 17(1)(c).
Importantly, the ground under Article 17(1)(c) is conditional on the right to object to data processing under Article 21(1) and 21(2) GDPR. Article 21(2) practically provides the right to object in all cases in which the purposes of the data processing are for direct marketing. This does not require much thought thereon, but Article 21(1) provides more intricate legal considerations which are much more case dependant. It is best to quote said provision in its entirety, with emphasis added:
“1. The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.”
As referred in the first guidelines referred above, in general “the right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting” as does the right to erasure. The right to erasure according to Article 17(1)(c) is grounded on the right to object and thus this broad right to object opens up an apparently restrictive right to erasure. Said guidelines further indicate a GDPR novelty which could be practically significant since under the previous EU Directive:
“the data subject had to base his or her request “on compelling legitimate grounds relating to his [or her] particular situation”. In respect of the GDPR, a data subject can object to a processing “on grounds relating to his or her particular situation”. He or she thus no longer has to demonstrate “compelling legitimate grounds”.
30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subject by obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1).”
In the following part in this series, we shall continue the analysis of this ground for the right to erasure and the conditions related thereto and its grounding in the right to object.
____________________________________
Disclaimer: This article is not to be considered as legal advice, and is not to be acted on as such. Should you require further information or legal assistance, please do not hesitate to contact Dr Edric Micallef Figallo on edric@abalegal.eu.