Artikkel 17
Right to erasure (‘right to be forgotten’)

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 17 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 17 keyboard_arrow_up

(65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Vis direktivets fortaletekst relatert til art. 17 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 17 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

GDPR

Article 17 of Regulation grants a right to be forgotten and to erasure to anyone concerned by personal data processing.

The major contribution of this provision is to establish and to set the conditions for exercising the right to be forgotten, including the obligation for the controller who made public the personal data to inform the third parties of the request of the data subject to erase any links to such data or copies or reproductions that have been made.

Thus, pursuant to Article 17 of the Regulation, the erasure should be obtained  without delay when any of the following grounds applies:  

- where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- where the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

- where the data subject objects to the processing pursuant to Article 21 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);

- where the personal data have been unlawfully processed;

- where the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

- where the personal data have been collected in relation to the offer of information society services relating to children referred to in Article 8 (1).

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to be forgotten and to erasure will however not be exercised where the processing is necessary:

- for exercising the right of freedom of expression and information;

- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3);

- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

- for the establishment, exercise or defence of legal claims.

Direktivet

Presented with great fanfare as the major innovation of the Regulation, the right to erasure, however, was already contained, at least in embryo in the Directive, in its Article 12, paragraph b).

We refer here to the important judgment delivered by the Grand Chamber of the Court of Justice of the European Union of 13 May 2014 ((CJEU,  Google Spain SL c. Costeja, 13  May 2014, C-121/12). After considering that Google is subject to the provisions of Directive 95/46/EC (or the transposition law) and considered to be a data controller, the Court found that the right to rectification and to object enshrined in those provisions permit a person to remove links to data.

The requests under Articles 12 (b) (rectification) and 14, first paragraph, (a) (object) of the Directive could be made directly by the data subject to the controller who must duly consider the grounds thereof and, if necessary, terminate the processing of the data in question. When the controller fails to respond to these requests, the data subject can notify supervisory authority or judicial authority to carry out the necessary checks and order the controller to perform specific actions accordingly.

Utfordringer

Both under the Directive and under the aegis of the Regulation, neither the general right to object, nor the right to be forgotten are absolute. 

It is certain that the specific circumstanceswill be decisive and will make the legitimate requests to erase more predictable. The problem will result rather from implementing exceptionsand weighing up competing interests, the responsibility for which will rest on the controller.

The ubiquitous nature of the Internet and the possibility of unlimited replications of the information on the Web require further the data subject to endlessly repeat their request for erasure to the search engines, once new websites containing such information appear. This time-consuming exercise will discourage data subjects. This situation is not likely to guarantee to the citizen a real mastery of their personal data.

Will the obligation on the controller to inform the other controllers processing the data that are subject to the erasure request simplify the task of the data subjects? We will see in practice and in view of the limits permitted by the text itself (at what point and does this obligation become unreasonable?).

Forordning
1e 2e

Art. 17

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.   Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.   Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

1. forslag close

Art. 17

1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:

(a)     the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)     the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(c)     the data subject objects to the processing of personal data pursuant to Article 19;

(d)     the processing of the data does not comply with this Regulation for other reasons.

2.           Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

3.           The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary:

(a) for exercising the right of freedom of expression in accordance with Article 80;

(b) for reasons of public interest in the area of public health in accordance with Article 81;

(c) for historical, statistical and scientific research purposes in accordance with Article 83;

(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;

(e) in the cases referred to in paragraph 4.

4.           Instead of erasure, the controller shall restrict processing of personal data where:

(a)     their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;

(b)     the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof;

(c)     the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead;

(d)     the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).

5.           Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.

6.           Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing.

7.           The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.

8.           Where the erasure is carried out, the controller shall not otherwise process such personal data.

9.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying:

(a)     the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations;

(b)     the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;

(c)     the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.

 

2. forslag close

Art. 17

1. The (...) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) and (...) there is no other legal ground for the processing of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2);

(d) the data have been unlawfully processed;

(e) the data have to be erased for compliance with a legal obligation to which the controller is subject;

1a. The data subject shall have also the right to obtain from the controller the erasure of personal data concerning him or her, without undue delay, if the data have been collected in relation to the offering of information society services referred to in Article 8(1). (...).

2. (...).

2a. Where the controller (...) has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take (...) reasonable steps, including technical measures, (...) to inform controllers which are processing the data, that the data subject has requested the erasure by such controllers of any links to, or copy or replication of that personal data.

3. Paragraphs 1, 1a and 2a shall not apply to the extent that (...) processing of the personal data is necessary:

a. for exercising the right of freedom of expression and information ;

b. for compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c. for reasons of public interest in the area of public health in accordance with Article 9(2) (h) and (hb) as well as Article 9(4);

d. for archiving purposes in the public interest or for scientific, statistical and historical (...) purposes in accordance with Article 83 ;

e. (...)

f. (...)

g. for the establishment, exercise or defence of legal claims.

4. (...)

5. (...)

Direktiv close

Art. 12

Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Art. 17

Rett til sletting («rett til å bli glemt»)

1. Den registrerte skal ha rett til å få personopplysninger om seg selv slettet av den behandlingsansvarlige uten ugrunnet opphold, og den behandlingsansvarlige skal ha plikt til å slette personopplysninger uten ugrunnet opphold dersom et av de følgende forhold gjør seg gjeldende:

a) personopplysningene er ikke lenger nødvendige for formålet som de ble samlet inn eller behandlet for,

b) den registrerte trekker tilbake samtykket som ligger til grunn for behandlingen, i henhold til artikkel 6 nr. 1 bokstav a) eller artikkel 9 nr. 2 bokstav a), og det ikke finnes noe annet rettslig grunnlag for behandlingen,

c) den registrerte protesterer mot behandlingen i henhold til artikkel 21 nr. 1, og det ikke finnes mer tungtveiende berettigede grunner til behandlingen, eller den registrerte protesterer mot behandlingen i henhold til artikkel 21 nr. 2,

d) personopplysningene er blitt behandlet ulovlig,

e) personopplysningene må slettes for å oppfylle en rettslig forpliktelse i unionsretten eller medlemsstatenes nasjonale rett som den behandlingsansvarlige er underlagt,

f) personopplysningene er blitt samlet inn i forbindelse med tilbud om informasjonssamfunnstjenester som nevnt i artikkel 8 nr. 1.

2. Dersom den behandlingsansvarlige har offentliggjort personopplysningene og i henhold til nr. 1 har plikt til å slette personopplysningene, skal vedkommende, idet det tas hensyn til tilgjengelig teknologi og gjennomføringskostnadene, treffe rimelige tiltak, herunder tekniske tiltak, for å underrette behandlingsansvarlige som behandler personopplysningene, om at den registrerte har anmodet om at nevnte behandlingsansvarlige skal slette alle lenker til, kopier eller reproduksjoner av nevnte personopplysninger.

3. Nr. 1 og 2 får ikke anvendelse dersom nevnte behandling er nødvendig

a) for å utøve retten til ytrings- og informasjonsfrihet,

b) for å oppfylle en rettslig forpliktelse som krever behandling i henhold til unionsretten eller medlemsstatenes nasjonale rett som den behandlingsansvarlige er underlagt, eller for å utføre en oppgave i allmennhetens interesse eller utøve offentlig myndighet som den behandlingsansvarlige er pålagt,

c) av hensyn til allmennhetens interesse på området folkehelse i samsvar med artikkel 9 nr. 2 bokstav h) og i) og artikkel 9 nr. 3,

d) for arkivformål i allmennhetens interesse, for formål knyttet til vitenskapelig eller historisk forskning eller for statistiske formål i samsvar med artikkel 89 nr. 1 i den grad rettigheten nevnt i nr. 1 sannsynligvis vil gjøre det umulig eller i alvorlig grad vil hindre at målene med nevnte behandling nås, eller

e) for å fastsette, gjøre gjeldende eller forsvare rettskrav.

Gamle loven close

§ 28. Forbud mot å lagre unødvendige personopplysninger

Den behandlingsansvarlige skal ikke lagre personopplysninger lenger enn det som er nødvendig for å gjennomføre formålet med behandlingen. Hvis ikke personopplysningene deretter skal oppbevares i henhold til arkivloven eller annen lovgivning, skal de slettes.

Den behandlingsansvarlige kan uten hinder av første ledd lagre personopplysninger for historiske, statistiske eller vitenskapelige formål, dersom samfunnets interesse i at opplysningene lagres klart overstiger de ulempene den kan medføre for den enkelte. Den behandlingsansvarlige skal i så fall sørge for at opplysningene ikke oppbevares på måter som gjør det mulig å identifisere den registrerte lenger enn nødvendig.

Den registrerte kan kreve at opplysninger som er sterkt belastende for ham eller henne skal sperres eller slettes dersom dette

a) ikke strider mot annen lov og

b) er forsvarlig ut fra en samlet vurdering av bl.a. andres behov for dokumentasjon, hensynet til den registrerte, kulturhistoriske hensyn og de ressurser gjennomføringen av kravet forutsetter.

Datatilsynet kan – etter at Riksarkivaren er hørt – treffe vedtak om at retten til sletting etter tredje ledd går foran reglene i arkivloven 4. desember 1992 nr. 126 § 9 og § 18.

Hvis dokumentet som inneholdt de slettede opplysningene gir et åpenbart misvisende bilde etter slettingen, skal hele dokumentet slettes.

[Også pol. § 27 kan være relevant for sletting]

§ 27. Retting av mangelfulle personopplysninger

Dersom det er behandlet personopplysninger som er uriktige, ufullstendige eller som det ikke er adgang til å behandle, skal den behandlingsansvarlige av eget tiltak eller på begjæring av den registrerte rette de mangelfulle opplysningene. Den behandlingsansvarlige skal om mulig sørge for at feilen ikke får betydning for den registrerte, f.eks. ved å varsle mottakere av utleverte opplysninger.

Retting av uriktige eller ufullstendige personopplysninger som kan ha betydning som dokumentasjon, skal skje ved at opplysningene tydelig markeres og suppleres med korrekte opplysninger.

Dersom tungtveiende personvernhensyn tilsier det, kan Datatilsynet uten hinder av annet ledd bestemme at retting skal skje ved at de mangelfulle personopplysningene slettes eller sperres. Hvis opplysningene ikke kan kasseres i medhold av arkivloven, skal Riksarkivaren høres før det treffes vedtak om sletting. Vedtaket går foran reglene i arkivloven 4. desember 1992 nr. 126 § 9 og § 18.

Sletting bør suppleres med registrering av korrekte og fullstendige opplysninger. Dersom dette ikke er mulig, og dokumentet som inneholdt de slettede opplysningene av den grunn gir et åpenbart misvisende bilde, skal hele dokumentet slettes.

Kongen kan gi forskrift med utfyllende bestemmelser om hvordan retting skal gjennomføres.

close