The DPC received a complaint via the One-Stop-Shop (OSS) mechanism related to a “right to be forgotten” delisting request made to a large multinational technology company (Data Controller) pursuant to Article 17 GDPR. 

The individual contacted the Data Controller requesting the delisting of several URLs. The content of these URLs described events that transpired at the school of which the individual was the principal. The individual explained that they are not a public figure and were no longer the principal of the school in question. The individual asserted that many of the ‘facts’ cited in the article were incorrect. The article also referred to certain special category data related to the individual, which the individual asserted was also incorrect. The individual stated that they did not receive a response from the Data Controller and submitted a complaint.

Upon receipt of the complaint, the DPC commenced an examination of the complaint with the Data Controller pursuant to section 109 of the Data Protection Act. In response to the DPC’s examination, the Data Controller explained that, following an extensive investigation, it could find no record of the delisting request from the individual. The Data Controller asserted that it did not  refuse the delisting request; rather, it was unaware of the request prior to  the DPC’s intervention. 

On foot of the DPC’s examination, the Data Controller proceeded to carry out a substantive assessment of the individual’s request and determined that, although certain of the complained-of URLs were ineligible for delisting for a number of reasons (e.g. because they did not contain personal data relating to the individual, or because they did not provide a return in the EEA (or UK) versions of its search engine when a search was carried out against the names provided), a number of other URLs were potentially eligible for delisting subject to certain further clarifications being provided by the individual relating to their content.

The Data Controller reached out to the individual directly outlining the results of its assessment and noting that it would need further information to complete its adjudication of the delisting request. The Data Controller continued to engage with the individual in this regard and the individual later wrote to the DPC to confirm that the complained of URLs had now been delisted to their satisfaction and that the matter was resolved.