Article 17
Right to erasure (‘right to be forgotten’)

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 17 keyboard_arrow_down Hide the recitals of the Regulation related to article 17 keyboard_arrow_up

(65) A data subject should have the right to have personal data concerning him or her rectified and a ‘right to be forgotten’ where the retention of such data infringes this Regulation or Union or Member State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

(156) The processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation. Those safeguards should ensure that technical and organisational measures are in place in order to ensure, in particular, the principle of data minimisation. The further processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data). Member States should provide for appropriate safeguards for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Member States should be authorised to provide, under specific conditions and subject to appropriate safeguards for data subjects, specifications and derogations with regard to the information requirements and rights to rectification, to erasure, to be forgotten, to restriction of processing, to data portability, and to object when processing personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. The conditions and safeguards in question may entail specific procedures for data subjects to exercise those rights if this is appropriate in the light of the purposes sought by the specific processing along with technical and organisational measures aimed at minimising the processing of personal data in pursuance of the proportionality and necessity principles. The processing of personal data for scientific purposes should also comply with other relevant legislation such as on clinical trials.

Show the recitals of the Directive related to article 17 keyboard_arrow_down Hide the recitals of the Directive related to article 17 keyboard_arrow_up

(25) Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;

The GDPR

Article 17 of Regulation grants a right to be forgotten and to erasure to anyone concerned by personal data processing.

The major contribution of this provision is to establish and to set the conditions for exercising the right to be forgotten, including the obligation for the controller who made public the personal data to inform the third parties of the request of the data subject to erase any links to such data or copies or reproductions that have been made.

Thus, pursuant to Article 17 of the Regulation, the erasure should be obtained  without delay when any of the following grounds applies:  

- where the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

- where the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;

- where the data subject objects to the processing pursuant to Article 21 and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21 (2);

- where the personal data have been unlawfully processed;

- where the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

- where the personal data have been collected in relation to the offer of information society services relating to children referred to in Article 8 (1).

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to be forgotten and to erasure will however not be exercised where the processing is necessary:

- for exercising the right of freedom of expression and information;

- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 (2) as well as Article 9 (3);

- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

- for the establishment, exercise or defence of legal claims.

The Directive

Presented with great fanfare as the major innovation of the Regulation, the right to erasure, however, was already contained, at least in embryo in the Directive, in its Article 12, paragraph b).

We refer here to the important judgment delivered by the Grand Chamber of the Court of Justice of the European Union of 13 May 2014 ((CJEU,  Google Spain SL c. Costeja, 13  May 2014, C-121/12). After considering that Google is subject to the provisions of Directive 95/46/EC (or the transposition law) and considered to be a data controller, the Court found that the right to rectification and to object enshrined in those provisions permit a person to remove links to data.

The requests under Articles 12 (b) (rectification) and 14, first paragraph, (a) (object) of the Directive could be made directly by the data subject to the controller who must duly consider the grounds thereof and, if necessary, terminate the processing of the data in question. When the controller fails to respond to these requests, the data subject can notify supervisory authority or judicial authority to carry out the necessary checks and order the controller to perform specific actions accordingly.

Potential issues

Both under the Directive and under the aegis of the Regulation, neither the general right to object, nor the right to be forgotten are absolute. 

It is certain that the specific circumstanceswill be decisive and will make the legitimate requests to erase more predictable. The problem will result rather from implementing exceptionsand weighing up competing interests, the responsibility for which will rest on the controller.

The ubiquitous nature of the Internet and the possibility of unlimited replications of the information on the Web require further the data subject to endlessly repeat their request for erasure to the search engines, once new websites containing such information appear. This time-consuming exercise will discourage data subjects. This situation is not likely to guarantee to the citizen a real mastery of their personal data.

Will the obligation on the controller to inform the other controllers processing the data that are subject to the erasure request simplify the task of the data subjects? We will see in practice and in view of the limits permitted by the text itself (at what point and does this obligation become unreasonable?).

Group 29

Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 (6 February 2018)

(Endorsed by the EDPB)

The General Data Protection Regulation (the GDPR), specifically addresses profiling and automated individual decision-making, including profiling.

Profiling and automated decision-making are used in an increasing number of sectors, both private and public. Banking and finance, healthcare, taxation, insurance, marketing and advertising are just a few examples of the fields where profiling is being carried out more regularly to aid decision-making.

Advances in technology and the capabilities of big data analytics, artificial intelligence and machine learning have made it easier to create profiles and make automated decisions with the potential to significantly impact individuals’ rights and freedoms.

The widespread availability of personal data on the internet and from Internet of Things (IoT) devices, and the ability to find correlations and create links, can allow aspects of an individual’s personality or behaviour, interests and habits to be determined, analysed and predicted.

Profiling and automated decision-making can be useful for individuals and organisations, delivering benefits such as:

  • increased efficiencies; and
  • resource savings.

They have many commercial applications, for example, they can be used to better segment markets and tailor services and products to align with individual needs. Medicine, education, healthcare and transportation can also all benefit from these processes.

However, profiling and automated decision-making can pose significant risks for individuals’ rights and freedoms which require appropriate safeguards.

These processes can be opaque. Individuals might not know that they are being profiled or understand what is involved.

Profiling can perpetuate existing stereotypes and social segregation. It can also lock a person into a specific category and restrict them to their suggested preferences. This can undermine their freedom to choose, for example, certain products or services such as books, music or newsfeeds. In some cases, profiling can lead to inaccurate predictions. In other cases it can lead to denial of services and goods and unjustified discrimination.

The GDPR introduces new provisions to address the risks arising from profiling and automated decision-making, notably, but not limited to, privacy. The purpose of these guidelines is to clarify those provisions.

This document covers:

  • Definitions of profiling and automated decision-making and the GDPR approach to these in general – Chapter II
  • General provisions on profiling and automated decision-making – Chapter III
  • Specific provisions on solely automated decision-making defined in Article 22 - Chapter IV
  • Children and profiling – Chapter V
  • Data protection impact assessments and data protection officers– Chapter VI

The Annexes provide best practice recommendations, building on the experience gained in EU Member States.

The Article 29 Data Protection Working Party (WP29) will monitor the implementation of these guidelines and may complement them with further details as appropriate.

Link

CJEU caselaw

C-553/07 (7 May 2009)

Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data requires Member States to ensure a right of access to information on the recipients or categories of recipient of personal data and on the content of the data disclosed not only in respect of the present but also in respect of the past. It is for Member States to fix a time-limit for storage of that information and to provide for access to that information which constitutes a fair balance between, on the one hand, the interest of the data subject in protecting his privacy, in particular by way of his rights to object and to bring legal proceedings and, on the other, the burden which the obligation to store that information represents for the controller.

Rules limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue, unless it can be shown that longer storage of that information would constitute an excessive burden on the controller. It is, however, for national courts to make the determinations necessary.

Opinion of Advocate general

Judgment of the Court

C-486/12 (12 December 2013)

1.      Article 12(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as not precluding the levying of fees in respect of the communication of personal data by a public authority.

2.      Article 12(a) of Directive 95/46 must be interpreted as meaning that, in order to ensure that fees levied when the right to access personal data is exercised are not excessive for the purposes of that provision, the level of those fees must not exceed the cost of communicating such data. It is for the national court to carry out any verifications necessary, having regard to the circumstances of the case.

Judgment of the Court

C-131/12 (13 May 2014)

1.      Article 2(b) and (d) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data are to be interpreted as meaning that, first, the activity of a search engine consisting in finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily and, finally, making it available to internet users according to a particular order of preference must be classified as ‘processing of personal data’ within the meaning of Article 2(b) when that information contains personal data and, second, the operator of the search engine must be regarded as the ‘controller’ in respect of that processing, within the meaning of Article 2(d).

2.      Article 4(1)(a) of Directive 95/46 is to be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of the controller on the territory of a Member State, within the meaning of that provision, when the operator of a search engine sets up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State.

3.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, in order to comply with the rights laid down in those provisions and in so far as the conditions laid down by those provisions are in fact satisfied, the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.

4.      Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46 are to be interpreted as meaning that, when appraising the conditions for the application of those provisions, it should inter alia be examined whether the data subject has a right that the information in question relating to him personally should, at this point in time, no longer be linked to his name by a list of results displayed following a search made on the basis of his name, without it being necessary in order to find such a right that the inclusion of the information in question in that list causes prejudice to the data subject. As the data subject may, in the light of his fundamental rights under Articles 7 and 8 of the Charter, request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results, those rights override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name. However, that would not be the case if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his fundamental rights is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.

Opinion of Advocate general

Judgment of the Court

C-141/12 ; C-372/12 (17 July 2014)

1.      Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that the data relating to an applicant for a residence permit contained in an administrative document, such as the ‘minute’ at issue in the main proceedings, setting out the grounds that the case officer puts forward in support of the draft decision which he is responsible for drawing up in the context of the procedure prior to the adoption of a decision concerning the application for such a permit and, where relevant, the data in the legal analysis contained in that document, are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified.

2.      Article 12(a) of Directive 95/46 and Article 8(2) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that an applicant for a residence permit has a right of access to all personal data concerning him which are processed by the national administrative authorities within the meaning of Article 2(b) of that directive. For that right to be complied with, it is sufficient that the applicant be in possession of a full summary of those data in an intelligible form, that is to say a form which allows that applicant to become aware of those data and to check that they are accurate and processed in compliance with that directive, so that he may, where relevant, exercise the rights conferred on him by that directive.

3.      Article 41(2)(b) of the Charter of Fundamental Rights of the European Union must be interpreted as meaning that the applicant for a residence permit cannot rely on that provision against the national authorities.

Opinion of Advocate general

Judgment of the Court

C-398/15 (9 March 2017)

Article 6(1)(e), Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, read in conjunction with Article 3 of the First Council Directive 68/151/EEC of 9 March 1968 on co-ordination of safeguards which, for the protection of the interests of members and others, are required by Member States of companies within the meaning of the second paragraph of Article 58 of the Treaty, with a view to making such safeguards equivalent throughout the Community, as amended by Directive 2003/58/EC of the European Parliament and of the Council of 15 July 2003, must be interpreted as meaning that, as EU law currently stands, it is for the Member States to determine whether the natural persons referred to in Article 2(1)(d) and (j) of that directive may apply to the authority responsible for keeping, respectively, the central register, commercial register or companies register to determine, on the basis of a case-by-case assessment, if it is exceptionally justified, on compelling legitimate grounds relating to their particular situation, to limit, on the expiry of a sufficiently long period after the dissolution of the company concerned, access to personal data relating to them, entered in that register, to third parties who can demonstrate a specific interest in consulting that data.

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 17

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

(d) the personal data have been unlawfully processed;

(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.   Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.   Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;

(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(e) for the establishment, exercise or defence of legal claims.

1st proposal close

Art. 17

1. The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:

(a)     the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b)     the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(c)     the data subject objects to the processing of personal data pursuant to Article 19;

(d)     the processing of the data does not comply with this Regulation for other reasons.

2.           Where the controller referred to in paragraph 1 has made the personal data public, it shall take all reasonable steps, including technical measures, in relation to data for the publication of which the controller is responsible, to inform third parties which are processing such data, that a data subject requests them to erase any links to, or copy or replication of that personal data. Where the controller has authorised a third party publication of personal data, the controller shall be considered responsible for that publication.

3.           The controller shall carry out the erasure without delay, except to the extent that the retention of the personal data is necessary:

(a) for exercising the right of freedom of expression in accordance with Article 80;

(b) for reasons of public interest in the area of public health in accordance with Article 81;

(c) for historical, statistical and scientific research purposes in accordance with Article 83;

(d) for compliance with a legal obligation to retain the personal data by Union or Member State law to which the controller is subject; Member State laws shall meet an objective of public interest, respect the essence of the right to the protection of personal data and be proportionate to the legitimate aim pursued;

(e) in the cases referred to in paragraph 4.

4.           Instead of erasure, the controller shall restrict processing of personal data where:

(a)     their accuracy is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;

(b)     the controller no longer needs the personal data for the accomplishment of its task but they have to be maintained for purposes of proof;

(c)     the processing is unlawful and the data subject opposes their erasure and requests the restriction of their use instead;

(d)     the data subject requests to transmit the personal data into another automated processing system in accordance with Article 18(2).

5.           Personal data referred to in paragraph 4 may, with the exception of storage, only be processed for purposes of proof, or with the data subject's consent, or for the protection of the rights of another natural or legal person or for an objective of public interest.

6.           Where processing of personal data is restricted pursuant to paragraph 4, the controller shall inform the data subject before lifting the restriction on processing.

7.           The controller shall implement mechanisms to ensure that the time limits established for the erasure of personal data and/or for a periodic review of the need for the storage of the data are observed.

8.           Where the erasure is carried out, the controller shall not otherwise process such personal data.

9.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying:

(a)     the criteria and requirements for the application of paragraph 1 for specific sectors and in specific data processing situations;

(b)     the conditions for deleting links, copies or replications of personal data from publicly available communication services as referred to in paragraph 2;

(c)     the criteria and conditions for restricting the processing of personal data referred to in paragraph 4.

 

2nd proposal close

Art. 17

1. The (...) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) and (...) there is no other legal ground for the processing of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19(1) and there are no overriding legitimate grounds for the processing or the data subject objects to the processing of personal data pursuant to Article 19(2);

(d) the data have been unlawfully processed;

(e) the data have to be erased for compliance with a legal obligation to which the controller is subject;

1a. The data subject shall have also the right to obtain from the controller the erasure of personal data concerning him or her, without undue delay, if the data have been collected in relation to the offering of information society services referred to in Article 8(1). (...).

2. (...).

2a. Where the controller (...) has made the personal data public and is obliged pursuant to paragraph 1 to erase the data, the controller, taking account of available technology and the cost of implementation, shall take (...) reasonable steps, including technical measures, (...) to inform controllers which are processing the data, that the data subject has requested the erasure by such controllers of any links to, or copy or replication of that personal data.

3. Paragraphs 1, 1a and 2a shall not apply to the extent that (...) processing of the personal data is necessary:

a. for exercising the right of freedom of expression and information ;

b. for compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c. for reasons of public interest in the area of public health in accordance with Article 9(2) (h) and (hb) as well as Article 9(4);

d. for archiving purposes in the public interest or for scientific, statistical and historical (...) purposes in accordance with Article 83 ;

e. (...)

f. (...)

g. for the establishment, exercise or defence of legal claims.

4. (...)

5. (...)

Directive close

Art. 12

Member States shall guarantee every data subject the right to obtain from the controller:

(a) without constraint at reasonable intervals and without excessive delay or expense:

- confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,

- communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,

- knowledge of the logic involved in any automatic processing of data concerning him at least in the case of the automated decisions referred to in Article 15 (1);

(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;

(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.

Scope of application and implementing provision

§ 4 DSG

[...]

(2) If personal data processed by automated means cannot be rectified or erased immediately because they can be rectified or erased only at certain times for economic or technical reasons, processing of the personal data concerned shall be restricted until that time, with the effect as stipulated in Article 18 para. 2 of the General Data Protection Regulation.

[...]


Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

§ 7 DSG

(1) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes whose goal is not to obtain results in a form relating to specific data subjects, the controller may process all personal data that

  1. are publicly accessible
  2. the controller has lawfully collected for other research projects or other purposes, or
  3. are pseudonymised personal data for the controller, and the controller cannot establish the identity of the data subject by legal means.

(2) In the case of processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes that do not fall under para. 1, personal data may be processed only

  1. pursuant to specific legal provisions,
  2. with the consent of the data subject, or
  3. with a permit of the Data Protection Authority pursuant to para. 3.

(3) A permit of the Data Protection Authority for the processing of personal data for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall be granted at the request of the controller ordering the research project, if

  1. the consent of the data subject is impossible to obtain because the data subject cannot be reached or the effort would otherwise be unreasonable,
  2. there is a public interest in the processing for which a permit is sought, and
  3. the professional aptitude of the controller has been satisfactorily demonstrated.

If special categories of personal data (Article 9 of the General Data Protection Regulation) are to be collected, an important public interest in the research project must exist; furthermore, it must be ensured that the personal data are processed at the premises of the controller ordering the research project only by persons who are subject to a statutory obligation of confidentiality regarding the subject matter of the research project or whose reliability in this respect is credible. The Data Protection Authority shall issue the permit subject to terms and conditions, insofar as this is necessary to safeguard the data subjects’ interests which deserve protection.

(4) A request according to para. 3 must, however, be accompanied by a statement signed by the person authorised to exercise rights in respect of the data files from which the personal data are to be collected, stating that this person is making the data files available for the research project. Instead of this statement, a writ of enforcement (§ 367 para. 1 of the Enforcement Code, Imperial Law Gazette No 79/1896) replacing this statement may be submitted.

(5) Even in cases where the processing of personal data for scientific research purposes or statistical purposes is permitted in a form which allows the identification of data subjects, the data shall be coded without delay so that the data subjects are no longer identifiable if specific phases of scientific or statistical work can be performed with personal data pursuant to para. 1 subpara. 3. Unless otherwise expressly provided for by law, data in a form which allows the identification of data subjects shall be rendered unidentifiable as soon as it is no longer necessary for scientific or statistical work to keep them identifiable.

(6) Legal restrictions on the right to use personal data for other reasons, in particular for copyright reasons, shall not be affected.

Old law close

In force until May 25, 2018:


Right to Rectification and Erasure

§ 27 DSG 2000

(1) Every controller shall rectify or erase data that are incorrect or have been processed contrary to the provisions of this federal law.

1. on his own, as soon the incorrectness of the data or the inadmissibility of the processing becomes known to him, or

2. on a well-founded application by the data subject.

The obligation to rectify data according to sub-para. 1 shall apply only to those data whose correctness is significant for the purpose of the data application. The incompleteness of data shall only justify a claim to rectification if the incorrectness, with regard to the purpose of the data application, results in the entire information being incorrect. As soon as data are no longer needed for the purpose of the data application, they shall be regarded as illegally processed data and shall be erased unless their archiving is legally permitted and unless the access to these data is specially secured. Any further use for another purpose shall be legitimate only if a transmission of the data for this purpose is legitimate; the legitimacy of further uses for scientific or statistical purposes is laid down in §§ 46 and 47.

(2) It shall be the obligation of the controller to prove that the data are correct unless specifically provided otherwise by law insofar as the data have not been collected exclusively based on statements made by the data subject.

(3) No rectification or erasure of data is possible insofar as the documentation purpose of a data application does not permit later changes. In such case, the necessary rectifications shall be effected by means of additional comments.

(4) The application for rectification or erasure shall be complied with within eight weeks after receipt and the applicant shall be informed thereof, or a reason in writing shall be given why the requested erasure or rectification was not carried out.

(5) In the areas of the executive responsible for the fields described in § 26 para. 2 sub paras. 1 to 5, the following procedure shall be applied to applications for rectification or erasure, insofar as this is required to safeguard those public interests that require secrecy: The rectification or erasure shall be carried out if the demands of the data subject are justified in the opinion of the controller. The required information pursuant to para. 4 shall in all cases be that a check of the data files of the controller with regard to the application for rectification or erasure has been performed. The legality of this course of action is subject to review by the Data Protection Authority according to § 30 para. 3 and the special complaint proceeding before the Data Protection Authority pursuant to § 31 para. 4.

(6) If the erasure or rectification of data kept solely on media readable by means of automatic processing systems can be carried out only at specific times for economic reasons, the data to be erased shall be kept inaccessible and a correcting remark shall be attached the data that are to be corrected.

(7) If data are used whose correctness is disputed by the data subject, and if neither their correctness nor incorrectness can be established, an entry about the dispute shall be attached upon request by the data subject. The entry about the dispute shall be erased only with the consent of the data subject or on grounds of a decision of the competent court of law or of the Data Protection Authority.

(8) If data that were rectified or erased in terms of para. 1 were transmitted before having been rectified or erased, the controller shall inform the recipient of the data by appropriate means, insofar as this does not constitute an unreasonable effort, in particular with regard to a legitimate interest in the information, and that the recipient can still be determined.

(9) The provisions of para. 1 to 8 shall be applied to the criminal records, kept according to the Criminal Records Act 1968 as well as to public books and registers kept by public sector controllers only insofar as

1. the obligation to rectification and erasure ex officio or

2. the procedure to assert and the competence to decide applications to rectification and erasure of data subjects

is not regulated otherwise by federal law.

close