In their third webinar, the Cyber Security Coalition Privacy Focus Group and Beltug focused on the apparently easy but actually complex ‘right to be forgotten’. In his extremely clear presentation, Peter Van Dyck, Partner at Allen and Overy (Belgium) LLP clarified the basics of this right, illustrated with three cases against Google and five rulings of the Belgian DPA.
Referring to art 17 of the GDPR, Peter Van Dyck pointed out that data subjects have a right, not so much to be completely ‘forgotten’, but for specific personal data to be erased or search results to be dereferenced. And this right is not absolute. A data subject’s request must comply with at least one of the conditions listed in art 17, and companies/organizations can invoke grounds to refuse the request (but DO document why!). He illustrated how three cases against Google at the European Court of Justice have ‘created’ and influenced the ‘right to be forgotten’, including the extent of ‘being forgotten’ and its territorial applicability (Europe yes, worldwide possibly).
Based on five rulings, Peter Van Dyck provided also insight in the interpretation of this right by the Belgian DPA. Its approach at this time is rather more lenient and cooperative, as quite often companies are not fined if they prove to remedy the infringement of this right within e.g. a month. Importantly, he stressed the need for companies/organizations to get their ‘right to be forgotten’-processes right and effective!
For a clear and concise insight in the ‘right to be forgotten’-challenge, do replay this session!