The complaint concerned the individual’s dissatisfaction with Microsoft Ireland Operations Limited’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested the delisting of two URLs that were returning on the data controller’s search engine when searching the individual’s name. The data controller confirmed to the individual that the URLs were delisted.

However, a search of the individual’s name, carried out by their legal representative, showed that the URLs continued to be returned. The DPC reviewed the URLs when receiving the complaint and confirmed that the URLs were still being returned.

The DPC intervened to seek to swiftly and informally resolve the matter . The DPC corresponded with the data controller and noted that despite confirmation that the URLs were delisted, they continued to return when searching the individual’s name . The data controller investigated the request further and confirmed to the DPC that the URLs had now been delisted . Following further investigation by the DPC, it was determined that while the original URLs requested for delisting no longer appeared, a different URL was now appearing, distinct from the other URLs, redirecting to the same content . The data controller delisted this URL also at the request made by the DPC on behalf of the individual . The DPC wrote to the individual and outlined the data controller’s actions . The DPC confirmed that all three URLs had been delisted by the data controller . This case demonstrates the importance of supervisory authorities, in this case the DPC, carrying out their own investigations and ensuring that individuals’ requests are fulfilled in line with GDPR . The above is an example of how the DPC took extra measures to ensure that the individual could comprehensively achieve a satisfactory outcome, rather than having to submit a new complaint for the new URL .