Right to be forgot the biggest innovation the GDPR offers?
In an interview with NOS today, the diritto all oblio under the GDPR is described by the chairman of the Dutch Data Protection Authority as “an important change compared to the old privacy law”. The question is whether that is so. New privacy law from May 25 From May 25, 2018, the General Data Protection Regulation (GDPR) will apply.
This European privacy law replaces the 1995 privacy directive. The biggest change is that all kinds of administrative In an interview with NOS today , the right to be forgot under the GDPR is regard by the chairman of the Dutch Data Protection Authority as ” an important change compared to the old privacy law “.
The question is whether that is so. New privacy law from May 25 From May 25, 2018, the General Data Protection Regulation (GDPR) will apply. This European privacy law replaces the 1995 privacy directive. The biggest change is that all kinds of administrative (compliance) obligations will rest on companies and institutions. What can and cannot be done with personal data remain largely the same.
Little new under the sun
This right to be forgot is nothing new under the sun. It simply build on existing rule. Only for service to a child, the GDPR may add something new oblio immagini.
After all, the right can be invoke if:
- The data is no longer need (existing law, ‘Google Spain’ judgment ).
- The permission withdrawn (existing right, see article 5 paragraph 2 WFP ).
- The right to object is invoke (existing right, see article 40/41 WFP).
- The processing is unlawful (existing law, ‘Google Spain’ judgment ).
- There is a legal obligation to delete (existing right, because apparently longer processing is unlawful, see previous bullet).
- Data was collect from online service to a child (that’s new!).
Incidentally, the question is whether the best interests of a child under current law will not always prevail when invoking the right to object. So the last bullet may not be that new .
Not informing third parties new
Furthermore, when data is delete, the successive recipient must also be inform about this. However, that is nothing new either, see Article 38 WFP and, among other things, the Rijkeboer judgment diritto all oblio definizione.
Stop selling data?
Furthermore, the interview states that company should only be allow to sell data on the basis of permission. This is not in the GDPR. The GDPR even states that, just like under the WFP, the interest of a third party can be a legitimate interest in the processing of personal data (ref. 47). Recital 48 even explicitly mention that data may be share within a group.
Under current and future law, when “selling” data, the question is rather whether purpose limitation and transparency do not stand in the way of this.
Treat every customer?
Wolfsan also notes that any consumer complaint will be handled by the AP. That sounds ambitious. I am very curious about the practice.