Guidelines 05/2019 on criteria of the Right to be Forgotten in search engines

1.3 Ground 3:  The Right to request delisting when the data subject has exercised his or her Right to object to the processing of his or her personal data (Article 17.1.c)

26. Pursuantto Article 17.1.c GDPR, a data subject can obtain from the search engine provider the erasure of personal data concerning him or her where he or she objects to the processing according to Article 21.1 GDPR and where there are no overriding legitimate grounds for the processing by the data controller.

27. The Right to object affords stronger safeguards to data subjects since it does not restrict the grounds according to which data subjects may request delisting as under Article 17.1 GDPR.

28. The Right to object to the processing was provided for by Article 14 of the Directive and constituted a ground to request the delisting since the Costeja judgement. However, the differences in the wording of Article 21 GDPR and Article 14 of the Directive suggest that there may also be differences in their application.

29. Under the Directive, the data subject had to base his or her request “on compelling legitimate grounds relating to his [or her] particular situation”. In respect of the GDPR, a data subject can object to a processing “on grounds relating to his or her particular situation”. He or she thus no longer has to demonstrate “compelling legitimate grounds”.

30. The GDPR therefore changes the burden of proof, providing a presumption in favour of the data subjectby obliging on the contrary the controller to demonstrate “compelling legitimate grounds for the processing” (Article 21.1). As a result, when a search engine provider receives a request to delist based on the data subject’s particular situation, it must now erase the personal data, pursuant to Article 17.1.c GDPR, unless it can demonstrate “overriding legitimate grounds” for the listing of the specific search result, which read in conjunction with Article 21.1 are “compelling legitimate grounds (…)which override the interests, rights and freedoms of the data subject”. The search engine provider can establish any “overriding legitimate grounds”, including any exemption provided for under Article 17.3 GDPR. Nonetheless, if the search engine provider fails to demonstrate the existence of overriding legitimate grounds, the data subject is entitled to obtain the delisting pursuant to Article 17.1.c GDPR. As a matter of fact, delisting requests now imply to make the balance between the reasons related to the particular situation of the data subject and the compelling legitimate grounds of the search engine provider. The balance between the protection of privacy and the interests of Internet users in accessing to the information as ruled by the CJEU in the Costeja judgement can be relevant to conduct such assessment, as well as the balance operated by the European Court of Human Rights (ECHR) in pressmatters.

31. Therefore, the criteria of delisting developed by the Article 29 Working Party in guidelines on the implementation of the Court of Justice of the European Union judgment on “ Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12 can still be used by search engine providers and Supervisory Authorities to assess a delisting request based on the Right to object (Article 17.1.c GDPR).

32. In this regard, the “particular situation” of the data subject will underlie the delisting request (for example, a search result creates detriment for a data subject when applying for jobs, or undermines his or her reputation in personal life) and will be taken into account when undertaking the balance between personal rights and right to information, in addition to the classic criteria for handling delisting requests, such as:

• he or she does not play a role in public life;

• the information at stake is not related to his or her professional life but affects his or herprivacy;

• the information constitutes hate speech, slander, libel or similar offences in the area of expression against him or her pursuant to a court order;

• the data appears to be a verified fact but is factually inaccurate;

• the data relates to a relatively minor criminal offence that happened a long time ago and causes prejudice to the data subject.

33. Nonetheless, these criteria won’t have to be examined in the absence of proof of compelling legitimate grounds to refuse the request.