Parent making an erasure request for child who is now an adult

A charity contacted the DPC seeking advice on a query they had received from a parent asking whether they could request the erasure of their child’s personal data. The data in question dated back several years when the child was a minor. However, the child was now an adult, and the parent, who was their guardian at the time, wanted to know if they could still request that the data be erased.

Right to be Forgotten (RtbF) search engine results for an individual’s first and last name

An individual contacted a search engine company to request that a number of websites remove articles about them that contained their name, as they believed the articles were no longer relevant to their current life and circumstances. The search engine organisation replied to them and outlined that their requests did not fulfil the criteria for it to remove them. The individual was unhappy with this response and contacted the DPC to make a complaint. 

An erasure request connected to a property sale

A prospective buyer initiated the facilitated purchase of a property through a real estate intermediary. Shortly after this, the vendor of the property withdrew from the sale. As part of the purchasing process, the prospective buyer had provided a copy of their ID, proof of address and bank details to the real estate intermediary. Following the breakdown in the process, the prospective buyer sought the erasure of their personal data pursuant to Article 17 of the GDPR.

Complaint related to non-compliance with an erasure request to a prospective employer

This complaint concerned the alleged non-response to an erasure request made by an individual to a prospective employer pursuant to Article 17 of the GDPR.

Non-compliance with an erasure request associated with an online gambling account

An individual opened an online account with a bookmaker and deposited a sum of money to their account. Having attempted to download the application (‘app’) associated with the service, the individual quickly realised that the app was not compatible with their mobile phone. The following day the individual submitted an erasure request under Article 17 of GDPR to the bookmaker.

Non-compliance with an erasure request related to medical data

An individual contacted the DPC following the refusal of their erasure request by a health care provider. According to the individual, they had requested the erasure of all historic health records relating to them held by the health care provider, as the individual was of the opinion that the records were incorrect as they related to an alleged misdiagnosis.

Access and Erasure request (Pinterest)

The complaint concerned the individual’s dissatisfaction with Pinterest Europe’s (data controller) response to his access and erasure requests pursuant to Article 15 GDPR and Article 17 GDPR, respectively. The individual submitted his requests following the suspension of his account, in order to obtain a copy of all of his personal data and to have it deleted from the data controller’s systems. The individual’s account was suspended due to a violation of the data controller’s policies regarding spam.

The data controller responded to the requests via automated response which stated that it had reviewed the account and decided not to reactivate it because it noticed activity that violated its spam policy. As a result, the individual was no longer able to access his personal data stored on their account. The individual maintained that this information could not be correct as they seldom used their account and sought a more substantial response to their access and erasure requests.

Amicable resolution — right to erasure

This complaint concerned the alleged non- response to an erasure request made by the complainant to a data controller pursuant to Article 17 GDPR.

Cross-border complaint — right to erasure

The DPC received a complaint from an individual regarding an erasure request made by them to a data controller, a platform for booking accommodation, pursuant to Article 17 GDPR. The complainant had begun creating an account on the data controller’s platform but chose to abandon the process before it was complete. The complainant then communicated his erasure request to the data controller by email and telephone. In response to the erasure request, the data controller informed the complainant that they required an identity document in order to comply with the erasure request.

Debt collector involvement

A data subject had contacted the DPC as they were not satisfied with the responses to a data subject access request and erasure request. This case was against a debt collector and the data subject raised concerns about how their personal data was obtained. The data subject explained that the debt had been cleared but they still received a letter from a debt collector. This letter referred to an outstanding amount owed to a third party.

Delisting request made to internet search engine

A data subject made a complaint against an internet search engine regarding the search engine’s response to their delisting request. The complaint concerned two URLs that appeared as results to searches of the individual’s name on the search engine. During the handling of this complaint, the individual included one further URL that they sought the search engine to delist.

Erasure request and reliance on Consumer Protection Code

Following an unsuccessful application for a credit card, the data subject in this case sought to have their personal data erased under Article 17 of the General Data Protection Regulation (GDPR). When the erasure request was refused by the data controller, the data subject raised concerns with the DPC that their personal data was being unlawfully retained. The DPC engaged with the data controller in order to assess the reasoning for such refusal.

Retention of a minor’s personal data by a State Agency

In this case, the complainants involved had previously requested that an Irish state agency erase a file pertaining to an incident at school involving their young child which had originally been notified to the agency. However while the agency had decided that the incident did not warrant further investigation, it had refused to erase the minor’s personal data — indicating that such files are retained until the minor in question reaches the age of 25 years.

Right to be Forgotten (Microsoft)

The complaint concerned the individual’s dissatisfaction with Microsoft Ireland Operations Limited’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested the delisting of two URLs that were returning on the data controller’s search engine when searching the individual’s name. The data controller confirmed to the individual that the URLs were delisted.

However, a search of the individual’s name, carried out by their legal representative, showed that the URLs continued to be returned. The DPC reviewed the URLs when receiving the complaint and confirmed that the URLs were still being returned.

Right to be Forgotten (Microsoft)

The complaint concerned the individual’s dissatisfaction with Microsoft Ireland’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested to have seven URLs delisted from being returned in a search against their name on the data controller’s search engine.

The individual stated that their National Identity number was contained in the URLs returned and raised concerns that the availability of their National Identity number increased the risk of identity theft.

Right to erasure and user generated content

This complaint concerned an initial refusal by the data controller to comply with an erasure request made by the complainant, pursuant to Article 17 GDPR. The complainant first lodged their complaint via the Spanish Data Protection Authority, the AEPD, who then transferred the complaint to the DPC as the Lead Supervisory Authority.

Article 60 decision concerning Twitter International Company — ID Request, Erasure Request

A complaint was lodged directly with the DPC on 2 July 2019 against Twitter International Company (“Twitter”), and accordingly was handled by the DPC in its role as lead supervisory authority. The complainant alleged that, following the suspension of their Twitter account, Twitter failed to comply within the statutory timeframe with an erasure request they had submitted to it. Further, the complainant alleged that Twitter had requested a copy of their photographic ID in order to action their erasure request without a legal basis to do so. Finally, the complainant alleged that Twitter had retained their personal data following their erasure request without a legal basis to do so.

Retention of data by a bank relating to a withdrawn loan application

The complainant in this case had made a loan application to a bank. The complainant subsequently withdrew the loan application and wrote to the bank stating that they were withdrawing consent to the processing of any personal data held by the bank relating to the loan application and requesting the return of all documents containing the complainant’s personal data. In response, the bank informed the complainant that it had stopped processing all of the complainant’s personal data, with the exception of data contained in records which the bank stated it was required to retain and process under the Central Bank of Ireland’s Consumer Protection Code. The complainant was not satisfied with this response, and argued, in their complaint to this Office, that in circumstances where the bank had obtained the complainant’s personal data on the basis of the complainant’s consent, the bank was not permitted to continue to process these data on a different legal basis (i.e. processing which is necessary for compliance with a legal obligation to which the bank is subject). The complainant also argued that the continued processing by the bank of their personal data was for a purpose which was not compatible with the purpose for which the data were originally obtained, in contravention of data protection legislation.

Unlawful processing and erasure request

Following their trip to a leisure facility (the data controller), a data subject submitted a complaint to the Data Protection Commission (DPC) as they were unhappy with how the data controller processed their personal data. The data subject also wanted to exercise their rights under Article 17 of the General Data Protection Regulation (GDPR) and have their, and their families, data deleted by the organisation. Prior to contacting the DPC, the data subject requested the erasure of their data directly from the data controller and this request was refused.

Unlawful processing of photograph and erasure request

A data subject submitted a complaint to the Data Protection Commission (DPC) regarding the publication of their historical image in a newspaper (data controller). The data subject explained to the DPC that the article was published without their knowledge and without their consent. Before contacting the DPC the data subject contacted the data controller to address their concerns that they felt their personal data had been unlawfully processed and requesting erasure of the image from the newspaper under Article 17 of the General Data Protection Regulation (GDPR); however, the data controller rejected all elements of the data subject’s request.