The Court of Justice of the European Union (CJEU) publishes a comprehensive ruling concerning the data subject's request for data deletion. Accordingly, it was ruled that it is insufficient to fulfill a deletion request within the company's services activities.
In a nutshell - The controller of personal data is required to take reasonable steps to inform internet search engine providers (and any other controllers) of a request for erasure by the data subject.
The EU Court confirms that a controller of personal data must, using appropriate technical and organizational measures, inform the other potential controllers that have received such data from it of withdrawing the data subject's consent. Such a controller must also ensure that service providers that have communicated those personal data to it are informed: "so that that operator amends the list of personal data that it automatically forwards to that provider of directories."
In the Proximus case, where various controllers rely on the single consent of the data subject, it is sufficient for that person to withdraw such consent to contact any of the controllers.
Finally, the Court holds that the controller under the GDPR must ensure that reasonable steps are taken to inform search engine providers of the request addressed to it by the subscriber of a service operator for the erasure of their personal data.
In terms of best practice, this means that organizations must map the data appropriately and update additional service providers (including search engines) regarding the erasure/consent EU withdrawing requests.
Comments