Skip main navigation

New offer! Get 30% off your first 2 months of Unlimited Monthly. Start your subscription for just £29.99 £19.99. New subscribers only. T&Cs apply

Find out more
Home / Business & Management / Big Data & Analytics / Understanding the GDPR / Right to erasure and right to data portability

Right to erasure and right to data portability

Rights to erasure, addressed in the Google Spain case, and to data portability deal with very important matters. Watch Evgeni Moyakine explain more.
View transcript
5.9
Now, it is time to address two other significant rights of data subjects prescribed
10.7
by the General Data Protection Regulation: the right to erasure and the right to data portability. The right to erasure is sometimes known as the right to be forgotten, though this denomination is not entirely correct. Data subjects have the right to obtain from data controllers the erasure of personal data concerning them without undue delay. In this regard, controllers are obliged to erase these personal data without undue delay if one of the following grounds is applicable. First, personal data are not necessary anymore in relation to the purposes for which they were collected or processed. Second, data subjects withdraw their consent, and there is no other legal ground for processing.
55.1
Third, data subjects object to the processing, and there are no overriding legitimate grounds for this processing. Fourth, personal data have been unlawfully processed. Fifth, personal data must be deleted in order to comply with the legal obligation in the European Union law or the law of EU Member States to which controllers are subjected. And, sixth, personal data have been collected in relation to the offer of information society services to children. This right to erasure is, however, not applicable when the processing is necessary for the exercise of the right to freedom of expression and information.
94.4
It also does not apply when the processing is required for compliance with a legal obligation of the controller under the law of the European Union, or its Member States, that requires the processing, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in a controller. In addition, this right is not applicable for reasons of public interest in the area of public health and for achieving purposes in the public interest, scientific or historical research purposes, or statistical purposes. Finally, it does not apply for the establishment, exercise, or defence of legal claims.
131.6
With respect to this right, an interesting case was brought before the Court of Justice of the European Union, or the CJEU. The judgement was given on 13 May 2014 and dealt with the right to be forgotten in the context of the Directive 95/46/EC, the predecessor of the GDPR. In 2010, a Spanish national, Mario Costeja Gonzalez, complained before the Spanish Data Protection Agency against the newspaper La Vanguardia Ediciones, Google Spain, and Google, Incorporated. He was not happy with the fact that if Internet users entered his name in the Google search engine, two links to the newspaper would appear where his name would be present.
175.4
His name would be connected to the real state auction with regard to the attachment proceedings initiated for the recovery of social security debts. He wanted the newspaper to have these references removed or altered and Google to have his personal data in this regard removed or concealed. The complaint in relation to the newspaper was dismissed by the Agency, but it was upheld with regard to Google. In the national legal proceedings between the two, the Spanish National High Court referred a number of preliminary questions to the Court of Justice of the EU dealing with the applicability of the Directive 95/46/EC to the Internet search engines, such as that of Google.
215.9
The Court of Justice of the European Union has concluded that data subjects have a right to erasure. It means that the information presented by the search engines is not linked to their names and that the operators of the search engines may be required to remove links to third party websites with data subjects’ personal information. Such an interference with the fundamental rights, however, can be justified if there is a significant interest of the general public to have access to this information. If those individuals, for example, play an important role in the public life. Currently, many requests are processed by Google that originate from individuals who would like to remove certain links to third party websites containing certain personal information about them.
261.9
Are you one of these people? Or are you considering now to become one? Furthermore, data subjects have a right to receive personal data concerning them which they provided to controllers and to transmit these data to other controllers. The data in question must be provided in a structured, commonly used, and machine-readable format. This right exists when the processing is based on consent, or a contract, and the processing is carried out by automated means. In addition, data subjects who exercise their right to data portability may have their personal data transmitted directly from one controller to another if this is technically possible.
306.4
This right can be exercised without prejudice to the right to erasure. It also does not apply to the tasks carried out in the public interest or in the exercise of official authority by the controller. Finally, it cannot be invoked to adversely affect the rights and freedoms of others. Imagine that an individual has been a devoted user of the Google Plus social network. As the time passes, he notices that it is not as popular anymore as it used to be and that all his friends have left it. He decides to walk over to Facebook, and - by using his right to data portability - may ask Google to hand over to him all personal data it holds about him.
349.2
This will allow him an easy transfer of all his personal details to the new social network.
357.2
The right to erasure and the right to data portability formed the core of our discussion this time. They are ensured by the General Data Protection Regulation and should benefit those who can be considered data subjects.

The rights to erasure and to data portability should not be omitted in our discussion of data subjects’ rights.

The right to erasure (also known as “the right to be forgotten”) is to be found in Article 17 GDPR. It allows data subjects to obtain from data controllers the erasure of personal data concerning them without undue delay. This right, however, does not apply when, for example, the processing is necessary for the exercise of the right to freedom of expression and information; when there are reasons of public interest in the area of public health; or when legal claims must be established, exercised or defended.

“The right to be forgotten” was dealt with by the Court of Justice of the European Union (CJEU) in the judgment from 13 May 2014 involving Spanish citizen Mario Costeja González, the Spanish Data Protection Agency, Google Spain and Google Inc. The Court has observed that data subjects have a right to erasure meaning that information in search engines is not linked to data subjects’ names and that the search engine operators may be required to remove links to third party websites with personal information. If there is a significant interest of the general public to have access to this information, this interference with fundamental rights may be justified.

Data subjects also have the right to data portability or, in other words, the right to receive from controllers personal data concerning them in a structured, commonly used and machine-readable format and to transmit these data to other controllers. This has been laid down in Article 20 GDPR. If it is technically possible, personal data can be directly transmitted from one controller to another. The right to data portability is not applicable to the tasks carried out in the public interest or in the exercise of official authority by the controller and it cannot be invoked to adversely affect the rights and freedoms of others.

Want to keep learning?

This content is taken from University of Groningen online course
Understanding the GDPR
View Course
See other articles from this course
This article is from the online course:

Understanding the GDPR

Created by
Join Now
This article is from the free online

Understanding the GDPR

Created by
Join Now
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Register to receive updates

  • Create an account to receive our newsletter, course recommendations and promotions.

    Register for free