Resources

Case Studies Cross-border Complaints

 

Cross-border Complaints 2023

Cross-Border Complaint: Delisting Request pursuant to Article 17 GDPR

Via the One-Stop-Shop (OSS) mechanism, the DPC received a complaint related to a ‘Right to be Forgotten’ request made to a large multinational technology company pursuant to Article 17 GDPR. The individual requested the delisting of three URLs that were being returned in a search against the individual’s name on the controller’s search engine. The URLs in question related to their now-deregistered business. The individual’s personal telephone number and residential address were visible through the URLs in question (the individual having operated their previous business at that same address). 

The individual submitted their request along with supporting documentation to verify themselves for the purposes of their request. However, the supporting documentation the individual provided was flagged as being illegible, which the individual disputed, and the Data Controller did not appear to have considered the substantive request itself. The individual was not satisfied with the Data Controller’s response and subsequently made a complaint to the Bavarian Data Protection Authority (Concerned Supervisory Authority), who transferred the complaint to the DPC for investigation, as the company complained of, has its main establishment in Ireland. 

In response to the DPC’s investigation, the Data Controller agreed to review the individual’s request in full and, having considered the information provided with the request as to the personal details contained in the URLs, determined that the complained-of URLs were eligible for delisting. As a result, the Data Controller delisted the URLs from being returned in a search of the individual’s name and informed the individual directly of same. The Data Controller stated that, should the individual have any further URLs or search terms it wished to submit for the purposes of a delisting request, the most efficient and effective means of doing so was through its online form. 

The individual subsequently responded to the DPC to confirm their satisfaction with the actions taken by the controller. 

Key Takeaway

  • Delisting and “right to be forgotten” requests need to be considered properly and a balancing test carried out to establish whether the public interest in accessing the information outweighs the rights of the individual to have that same information deleted, or vice versa.