This complaint concerned an initial refusal by the data controller to comply with an erasure request made by the complainant, pursuant to Article 17 GDPR. The complainant first lodged their complaint via the Spanish Data Protection Authority, the AEPD, who then transferred the complaint to the DPC as the Lead Supervisory Authority.

The complainant stated that they were named, and therefore identified, in a negative review relating to their place of employment . The review, accompanied by a partial image of the complainant, had been posted online . The complainant had sought the removal of their name and any associated images from the review. During its engagement with the DPC on the matter, the data controller advised that they had reviewed the content in question in the context of their own privacy guidelines for the removal of content from the website and that they considered the content did not infringe upon same .

The DPC requested that the data controller review the matter again, in the spirit of amicably resolving the complaint . The data controller subsequently reverted to advise that after a further assessment of the content in question they had made the decision to remove the review posting in its entirety .

This case study demonstrates the benefits, to individual complainants, of the DPC’s intervention by way of the amicable resolution process . In this case, this led to the complainant being able to affect their right of erasure over their personal data, as afforded to individuals under Article 17 of the GDPR .

The complaint concerned the individual’s dissatisfaction with Microsoft Ireland’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested to have seven URLs delisted from being returned in a search against their name on the data controller’s search engine. The individual stated that their National Identity number was contained in the URLs returned and raised concerns that the availability of their National Identity number increased the risk of identity theft.

The DPC intervened on behalf of the complainant. The data controller originally refused the delisting request, stating that the URLs contained information of public relevance, and that the information was published in an official bulletin of a government body; in this case, the Spanish Government . The DPC corresponded with the Spanish Data Protection Authority in relation to the information published in the URLs . The Spanish Data Protection Authority stated that due to the introduction of the GDPR, the Spanish Data Protection law was modified and the Government is no longer permitted to disclose citizens’ complete National Identification number alongside their name and surnames when publicising administrative acts. Following clarification from the Spanish Data Protection Authority, the DPC informed the data controller of the change in the Spanish Data Protection law. The data controller stated that based on the update in Spanish Data Protection law, it would delist all requested URLs from being returned against the individual’s name in accordance with Article 17 GDPR . This case highlights the importance of communicating with other supervisory authorities during the complaint resolution process. In these circumstances, the DPC was provided with clarification on how Spain has adapted its national legislation to comply with the GDPR . It also allowed the data controller to adapt its current procedure to ensure that requests involving the delisting of URLs containing full National Identity numbers are handled in accordance with the updated national legislation.

The complaint concerned the individual’s dissatisfaction with Pinterest Europe’s (data controller) response to his access and erasure requests pursuant to Article 15 GDPR and Article 17 GDPR, respectively. The individual submitted his requests following the suspension of his account, in order to obtain a copy of all of his personal data and to have it deleted from the data controller’s systems. The individual’s account was suspended due to a violation of the data controller’s policies regarding spam.

The data controller responded to the requests via automated response which stated that it had reviewed the account and decided not to reactivate it because it noticed activity that violated its spam policy. As a result, the individual was no longer able to access his personal data stored on their account. The individual maintained that this information could not be correct as they seldom used their account and sought a more substantial response to their access and erasure requests.

The DPC took up the complaint with Pinterest. The DPC outlined the individual’s concerns in relation to his access and erasure requests and requesting that the data controller address those concerns more substantively.

The DPC also requested that the data controller indicate whether the individual was provided with an opportunity to appeal his account suspension and, if so, describe the procedure for such appeals . The data controller responded to the DPC stating that it had investigated then matter and explained that once an account is suspended on the basis of a spam violation, all correspondence is automatically directed to its Spam Operations team. The data controller further explained the appeal process and noted that the individual corresponded with the Spam Operations team in relation to the appeal of their suspension . The Spam Operations team failed to identify that the correspondence also included the individual’s access and erasure requests and therefore this was not addressed in its response . The data controller’s response also noted that, although the Spam Operations tea had rejected the individual’s appeal of their account suspension, it had since carried out another review in light of its updated spam policies . Following this review, the data controller re-activated the individual’s account.

The data controller also acknowledged the delay in responding to the individual and confirmed that it had since taken steps to ensure that such delays would not occur in responding to future requests . The data controller confirmed that it had actioned the individual’s access and erasure requests. It also confirmed that it had reached out to the individual to inform him of the steps it had taken in response to the DPC’s correspondence and provided the individual with the explanations set out above . The actions taken and explanations given by the data controller were also outlined to the individual by the DPC . The individual informed the DPC that they were satisfied with the actions taken by the data controller in response to the DPC’s correspondence as it allowed him to download his data and delete his account . This case study illustrates how often simple matters — such as a complaint being forwarded to the wrong unit in an organisation — can become data protection complaints if the matter is not identified appropriately.

The complaint concerned the individual’s dissatisfaction with Microsoft Ireland Operations Limited’s (data controller) response to their right to be forgotten request pursuant to Article 17 GDPR. The individual requested the delisting of two URLs that were returning on the data controller’s search engine when searching the individual’s name. The data controller confirmed to the individual that the URLs were delisted.

However, a search of the individual’s name, carried out by their legal representative, showed that the URLs continued to be returned. The DPC reviewed the URLs when receiving the complaint and confirmed that the URLs were still being returned.

The DPC intervened to seek to swiftly and informally resolve the matter . The DPC corresponded with the data controller and noted that despite confirmation that the URLs were delisted, they continued to return when searching the individual’s name . The data controller investigated the request further and confirmed to the DPC that the URLs had now been delisted . Following further investigation by the DPC, it was determined that while the original URLs requested for delisting no longer appeared, a different URL was now appearing, distinct from the other URLs, redirecting to the same content . The data controller delisted this URL also at the request made by the DPC on behalf of the individual . The DPC wrote to the individual and outlined the data controller’s actions . The DPC confirmed that all three URLs had been delisted by the data controller . This case demonstrates the importance of supervisory authorities, in this case the DPC, carrying out their own investigations and ensuring that individuals’ requests are fulfilled in line with GDPR . The above is an example of how the DPC took extra measures to ensure that the individual could comprehensively achieve a satisfactory outcome, rather than having to submit a new complaint for the new URL .

A data subject made a complaint against an internet search engine regarding the search engine’s response to their delisting request. The complaint concerned two URLs that appeared as results to searches of the individual’s name on the search engine. During the handling of this complaint, the individual included one further URL that they sought the search engine to delist.

The criteria to be applied by search engines is that delisting must occur if the results are irrelevant, inadequate or excessive. A case-by-case balancing exercise must be conducted by the search engine that balances rights of access and rights of those individuals affected by search results.

The individual had originally personally engaged with the search engine seeking delisting of the URLs because the individual argued the URLs contained defamatory content, making it unlawful to process them, and that the URLs were impacting on the individual’s private and professional life given their content . The search engine operator refused to delist the URLs because they related to information about the individual’s professional life and there was a public interest in accessing this information .

The DPC engaged with the search engine operator regarding their refusal to delist. The search engine operator relied on the legitimate interest of third parties to access the information in the URLs . No defamation proceedings had been pursued by the individual against the original publishers of the relevant content and so it was not possible to definitively decide the question of whether content in the URLs was defamatory or not.

That being said, during the course of the handling of this complaint by the DPC, the search engine operator delisted the URLs in Ireland alone based on the defamation arguments of the individual . The individual continued with their DPC complaint seeking delisting across Europe and not just Ireland . Further, the webpages underlying all of the three URLs were deactivated by the webmaster during the handling of this complaint.

Article 17(3)(a) of the GDPR states the right to be forgotten will not apply where the processing of personal data is necessary “for exercising the right of freedom of expression and information” . In examining this complaint, the DPC noted the information contained in the webpages — the subject of the individual’s complaint — relates to previous business conduct by them relevant to their professional life . The individual continues to engage in the same professional sphere and activities . The individual accepted this by arguing the content was impacting their professional life. The individual argued the content was inaccurate because it was defamatory . The DPC noted that a significant majority of the content the individual said was inaccurate was a blog post and comments of third parties and related to their professional activities; appearing to be the opinions of third-party commentators.

The DPC concluded if a third party were to consider the webpages the subject of this complaint it would be clear that the comments were made as user-generated content and represent third party opinions rather than appearing as verified fact. The role of the search engine in listing is not to challenge or censor the opinions of third parties unless to list results gives rise to personal data processing on the part of the search engine that is irrelevant, inadequate or excessive .

The DPC concluded that given the individual’s business role and role in public life arising from their professional life, there is a public interest in accessing information regarding their professional life within the European Union . The DPC wrote to the individual and under section 109(5)(b) of the 2018 Act dismissed the individual’s complaint based on the above considerations .

In this case, the complainants involved had previously requested that an Irish state agency erase a file pertaining to an incident at school involving their young child which had originally been notified to the agency. However while the agency had decided that the incident did not warrant further investigation, it had refused to erase the minor’s personal data — indicating that such files are retained until the minor in question reaches the age of 25 years.

The Data Protection Commission (DPC) requested that the state agency outline its lawful basis for the retention of the minor’s personal data . The agency provided this and cited its retention policy as stated to the complainants, but the DPC did not consider a blanket retention period applicable in the particular circumstances .

The DPC informed both parties of the amicable resolution process and both expressed a willingness to engage on same . After iterative engagement between the complainants and the controller to discuss the matter, the state agency confirmed to the complainants that the file containing their child’s personal data would be deleted

Via the One-Stop-Shop (OSS) mechanism, the DPC received a complaint related to a ‘Right to be Forgotten’ request made to a large multinational technology company pursuant to Article 17 GDPR. The individual requested the delisting of three URLs that were being returned in a search against the individual’s name on the controller’s search engine. The URLs in question related to their now-deregistered business. The individual’s personal telephone number and residential address were visible through the URLs in question (the individual having operated their previous business at that same address). 

The individual submitted their request along with supporting documentation to verify themselves for the purposes of their request. However, the supporting documentation the individual provided was flagged as being illegible, which the individual disputed, and the Data Controller did not appear to have considered the substantive request itself. The individual was not satisfied with the Data Controller’s response and subsequently made a complaint to the Bavarian Data Protection Authority (Concerned Supervisory Authority), who transferred the complaint to the DPC for investigation, as the company complained of, has its main establishment in Ireland. 

In response to the DPC’s investigation, the Data Controller agreed to review the individual’s request in full and, having considered the information provided with the request as to the personal details contained in the URLs, determined that the complained-of URLs were eligible for delisting. As a result, the Data Controller delisted the URLs from being returned in a search of the individual’s name and informed the individual directly of same. The Data Controller stated that, should the individual have any further URLs or search terms it wished to submit for the purposes of a delisting request, the most efficient and effective means of doing so was through its online form. 

The individual subsequently responded to the DPC to confirm their satisfaction with the actions taken by the controller. 

In July 2021, the DPC received one complaint from an individual regarding an unsolicited marketing telephone call received from Vodafone Ireland Limited. In response to the DPC’s investigation of the complaint, Vodafone Ireland Limited explained that the existing customer had opted out of receiving marketing communications in March 2018. Despite this, Vodafone Ireland Limited had carried out a manual check of preferences in advance of conducting a marketing campaign, and due to human error, the complainant was included in the marketing campaign.

The DPC had previously prosecuted Vodafone Ireland Limited in 2021, 2019, 2018, 2013 and 2011 for breaching Regulation 13 of the ePrivacy Regulations in relation to previous complaints. Accordingly, the DPC decided to proceed to another prosecution arising from this complaint case. At Dublin Metropolitan District Court on 27 June 2022, Vodafone Ireland Limited pleaded guilty to one charge under Regulation 13(6) of the ePrivacy Regulations. The District Court applied the Probation of Offenders Act 1907 in this case, on the basis of a charitable donation of €500 to Little Flower Penny Dinners. Vodafone Ireland Limited agreed to discharge the DPC’s legal costs.

The DPC received a complaint via the One-Stop-Shop (OSS) mechanism from an individual regarding the handling of an Article 17 GDPR erasure request made by them. 

The individual in this matter had made an erasure request to have their social media account, as well as any subsequent personal data belonging to them, erased by the controller. The individual also noted as part of their complaint that they had lost access to the account in question. Therefore, they could not delete the account on their own accord using the controller’s self-deletion tool, due to inaccessibility. The individual first raised their request with the controller directly, but was left dissatisfied with the controller’s response to their request. The individual then contacted their national supervisory authority, seeking assistance in acquiring the erasure of the account and related personal data. 

The DPC identified the complaint as potentially being capable of amicable resolution under Section 109(2) of the Data Protection Act 2018. The DPC commenced an examination of the complaint by contacting the controller and outlining the details of the complaint. 

In its response to the DPC, the controller acknowledged that it appeared that the individual was unable to access their account as asserted by the individual in their complaint. On foot of the DPC’s intervention, the social media company contacted the individual directly and its specialist team assisted the individual in regaining access to their account. This enabled the individual to then initiate the process of self-deleting their account and related personal data. The individual subsequently notified the DPC that they considered that their complaint had been amicably resolved. 

The DPC as Lead Supervisory Authority received a complaint via the One- Stop-Shop (OSS) mechanism created by the GDPR from an individual in Germany regarding an erasure request, pursuant to Article 17 of the GDPR to an online financial company based in Ireland. 

Having submitted the erasure request to the company for the deletion of their personal data from the company’s database, the individual received a refusal from the company to their request. The company informed the individual concerned that it had a legal obligation that required it to retain the data. In the complaint, the individual stated that the company did not provide further information for the basis of its refusal of their request, or information on how long it would retain their data. 

The individual then lodged their complaint via the North Rhine-Westphalia Data Protection Authority, who then transferred the complaint to the DPC as the Lead Supervisory Authority. 

The complaint was identified as potentially being capable of amicable resolution under Section 109 of the Data Protection Act 2018. 

As part of the amicable resolution process, it was established that the company was a financial regulated entity obliged by law to keep the personal data related to closed accounts for a period of seven years, and, upon the expiry of this period, it deletes the personal data associated with a closed account. The company confirmed the date the individual’s data would be deleted, and confirmed that until such a time as it could comply with the erasure request, the individual’s personal data would be safeguarded. 

The DPC communicated this information to the individual via the North Rhine-Westphalia Data Protection Authority. The individual responded, confirming the information provided by the DPC had led to the amicable resolution of their complaint.