Your right to have information about you removed from Google

Understanding the Right to Be Forgotten under GDPR: What you need to know

The right to be forgotten under EU's GDPR is more important than ever as it is also applicable on search engines - and many people have information out there that they may find harmful, incorrect and or private in its nature. For many persons, the information can make it hard for them to find a job, rent an appartment or even to find a partner.

When Does It Apply?

An individual can request erasure of their personal data in particular if one or more of the following conditions are met:

1. Data is no longer necessary: The data is no longer required for the purpose it was originally collected.

2. Data subject withdraws consent: You withdraw the consent that formed the legal ground for processing the data in the first place, and there is no other legal basis for processing the same data that would warrant it being kept.

3. Data subject objects to the processing: You object to the processing of the personal data concerning you, and there are no overriding legitimate grounds for the data to be retained.

4. Unlawful processing: The data was processed unlawfully (e.g. the controller had no legal basis to begin with).

5. Legal obligation: Erasure is required to comply with a legal obligation in EU law or the law of a member state (note that legal obligations under other jurisdictions' laws do not matter).

When Does It Not Apply?

Sometimes, a legitimate request to be forgotten may still be rejected by the search engine. When making the decision of whether to remove the information, the search engine will only do so unless the data is necessary for:

1. Exercising the right of freedom of expression and information.

2. Compliance with a legal obligation.

3. Performing a task carried out in the public interest or in the exercise of official authority.

4. Public health interests, such as many matters that came up with Covid that concerened protecting against serious cross-border health threats.

5. Archiving in the public interest, scientific or historical research, or statistical purposes.

6. Establishing, exercising, or defending legal claims.

How It Works in Practice

1. Submitting a Request

You as the individual that is directly concered need to contact the search engine and explicitly request erasure. Technically, you are making a request to the data controller, which in this case is the search engine that creates and delivers the search results. (Any time you want to use your rights under GDPR it should be done towards the controller - the organisation that is deciding what data about you that it processes, why it does so and how it does so.)

2. Verification - you must be able to show the information is about YOU

The relevant search engine must, after receiving your request:

a) Verify your identity to ensure that no unauthorized access or deletion is granted.

b) Make a careful test as regards the merits of the request you have made for the data to be removed, weighed against the reasons outlined above that would warrant the data to be retained by the search engine. 

3. Decision and response about your request

The search engine must respond to your request "without undue delay", which usually means within one month. However, if your request is complex or involves large volumes of data, this period can be extended by an additional two months, but then they need to inform you of the delay.

4. Deleting the information?

If your request is deemed to be valid and no counter arguments are to be prioritized (as listed above), then the relevant search engine has a legal obligation to erase the personal data about you that is in question.

Need help navigating GDPR compliance? Check out Kat's article for more information.