CLVPartners

EDPB

Review of the right to erasure in 2025

In October 2020, the European Data Protection Board (“EDPB“) adopted a document on a coordinated enforcement framework under Regulation (EU) 2016/679 of the European Parliament and of the Council on the General Data Protection Regulation, the GDPR, under which each year a specific data protection issue is examined by Member State authorities on the basis of a framework and methodology defined by the EDPB. These harmonised actions aim, among other things, to facilitate compliance and raise awareness.

This year, the EDPB intends to examine the way in which the right of erasure is exercised and its provision by data controllers. In this article, we summarise the most important facts in this regard.

The importance of the review

In 2025, the EDPB intends to examine the right to erasure, as this is one of the most frequently exercised data subject rights since the entry into force of the GDPR, but there are a large number of complaints to supervisory authorities about its enforcement. To this end, the EDPB, with the help of Member States’ authorities, will this year examine practices in relation to the exercise of the right to erasure and assess how data controllers handle requests for erasure received by them and how they apply the conditions and exceptions to the exercise of this right set out in the GDPR.

What is the right to erasure?

The GDPR sets out the basic rights that the data controller – whether an employer, supply partner or contractor – must inform the data subject of in advance and provide them to the data subject during data processing. Among other things, the data subject has the right to request the erasure of personal data relating to him or her, which the data controller must do without undue delay.

However, the right to erasure is subject to conditions, which may be exercised in one of the following cases:

  • if the personal data are no longer necessary for the purposes for which they were processed;
  • if the data processing was based on the data subject’s consent and the data subject has withdrawn it;
  • if the data subject objects to the processing, where the legal basis for the processing is the protection of the legitimate interests of the controller or of a third party;
  • if the data have been unlawfully processed; or if there is a legal obligation to delete the data.

Ensuring the right of the data subject

The data controller must at all times ensure that the rights of data subjects with regard to the data processing of personal data of natural persons are adequately protected. One of the most important steps is to guarantee the availability of the data controller and to enable contact, which should be achieved through mechanisms that facilitate the exercise of the data subject’s rights.

In the event of any request by a data subject concerning the processing of personal data, the controller shall ensure the exercise of the data subject’s right to be informed as soon as possible after receipt of the request, but not later than 1 month or, if it needs further information, to contact the data subject without delay to deal with the request, preferably through the communication channel used by the data subject. If the data controller does not comply with the data subject’s request, it shall also provide a statement of reasons.

In order for the data controller to be able to assess and comply with the data subject’s request, it is important that the data controller has appropriate organisational and technical measures in place. Ensuring the exercise of the right is of paramount importance, because in case of inappropriate data processing, the data subject can file a complaint with the competent authority – in Hungary the National Authority for Data Protection and Freedom of Information – or even with the courts.

Tasks related to data processing

Since the entry into force of the GDPR in 2018, organisations have developed a wide range of data management practices and there have been significant changes in the legislation in the areas affected by data processing.

At the same time, we see that companies that treat GDPR compliance as a one-off project do not review their processes, documents and background legislation (every few years), and therefore the data privacy policy does not reflect reality after years, for which they can be held liable.

We recommend that companies that meet any of the following criteria should review their data processing documentation and, if necessary, align it with their actual processes:

  1. Introduction of new software
  2. Reorganisation of a business unit or certain processes
  3. Choosing new suppliers
  4. Modifying cooperation with customers
  5. Outsourcing of processes – either to a third country or within the EU
  6. Introduction of certificates (ISO, Tisax, etc.)
  7. Compliance with new legislation (e.g. Complaints Act, GPSR, Pay Transparency Directive)
  8. Changes in the group (e.g. new investor owner)
  9. Change of communication platform (e.g. intranet, chatbot)
  10. Create or merge databases

Image source: Freepik.com

Data Protection Officers are under the spotlight in the European Data Protection Board’s latest coordinated enforcement action

Since 25 May 2018, there is hardly a company that has not had to deal with a Data Protection Officer, or DPO. It has been 5 years since the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC („General Data Protection Regulation”; hereinafter: “GDPR“) came into force, but this does not and cannot mean that “the machine is running, the creator rests.” In view of the continuous development of case law, a review of the regulations may be necessary from time to time.

In 2023, the European Data Protection Board (“EDPB“) decided to conduct a coordinated enforcement action focusing specifically on the designation and operation of DPOs. The coordinated action involves 26 European data protection authorities.

The Data Protection Officer is responsible for protecting the rights and freedoms of data subjects and ensuring compliance with data protection rules. Impartiality and independence are among the requirements for DPOs that most often come to the attention of the authorities. Impartiality and objectivity ensure that the officer is able to closely monitor data management processes, effectively manage data breaches and advise the organisation on compliance with the GDPR and other relevant data protection rules. Impartiality guarantees that the DPO represents data protection issues of all interested parties, be it the employees, contractors, or the management of the organisation. The DPO shall be an expert who has no interest in the organisation or its data processing activities. Conflict of interest also means that the appointed data protection professional must not be in a position or engage in an activity that could jeopardise objective and independent decision-making.

A number of decisions on DPOs have been taken by national authorities in previous years, with the following conclusions:

  • The DPO must not only be registered with the competent authority of the mother company, but the organisation must also notify other relevant authorities if the organisation has other branches and the DPO can operate there too.
  • It is not possible to hire an external company as an outsourced DPO and at the same time also appoint a third party as DPO.
  • If the DPO is in charge of compliance, audit and risk management, the independence or impartiality of the role may be compromised.
  • The DPOs are not allowed to engage in a role as the controller’s representative before the data protection authority, as this could jeopardize the impartiality or independence of the DPO.
  • The DPO can be withdrawn if the DPO no longer has the appropriate professional skills or fails to comply with data protection regulations.
  • The DPO cannot be ordered, and therefore it is a breach of the GDRP if the DPO cannot act on his or her own, but only on the instructions of the head of the company (or any other person with the right to make decisions in the company).

A control plan may formalise the DPO’s procedure, but a direct instruction does not comply with the GDPR.

  • It is also a breach of the GDPR to have several hierarchical levels between the DPO and the senior management of the organisation because this way the DPO is no longer directly accountable to the management.
  • It is not an appropriate solution if the DPO is appointed, but the DPO also performs compliance functions in the company, thus compromising independence and impartiality. The authority in the case confirmed that the DPO cannot perform a role that allows him or her to determine the purposes and means of processing personal data.
  • Similarly, it has been held to be contrary to the prohibition of conflicts of interest, if the DPO is also a managing director of two subsidiaries which are responsible for processing data for the main company. In this case there is a conflict of interest because the DPO supervises the adequacy of the data processing tasks, while having a legitimate interest in the profits and operations of the data processing companies.

As the EDPB will focus on DPOs in its coordinated enforcement actions in 2023, we can expect to see a growing number of decisions in which the determining data protection authority makes decisions in principle on the functioning and impartiality of the DPOs. Further guidelines or statements may be issued by national or EU authorities.

New guidelines of the EDPB on data controllers and data processors

The European Data Protection Board (“EDPB” or “Board”) has adopted the final version of guidelines no. 07/2020 on the concepts of controller and processor in the GDPR on its meeting of 7 July 2021, which renews and replaces the previous guidance no. 1/2010 of the Article 29 Data Protection Working Party on the same subject.

The definition of roles of data controller and data processor has been and continues to be the most controversial issue of data protection law, both during and prior to the entry into effect of the GDPR, as the assumed role determines the obligations and thus the corresponding responsibility. For this reason, the new EDPB guidelines are essential for all actors involved in data processing activities.

  1. Identifying the data controller

According to the GDPR, the person determining the purposes and means of the processing of personal data shall be considered the data controller. Among the elements of the concept, the new guideline explained the means of data processing in most detail, implementing a sharper distinction compared to the previous guidance.

In the opinion of the Board, when identifying the data controller, the means of data processing shall be understood only as the essential means, which are the following:

  • type of personal data which are processed
  • duration of the processing
  • the categories of recipients with access to the data (including transfers of data)
  • the categories of data subjects

The EDPB also emphasizes that actual access to personal data is not a requirement to be considered the data controller.

  1. Identifying the data processor

According to the GDPR, the data processor is the person who performs the processing operations on behalf of the data controller. The EDPB identified two explicit and one implied condition for the identification of the data processor. The two explicit conditions are as follows:

  • The data processor is a separate entity from the data controller;
  • The processing operations are performed solely on behalf of the data controller and the data are not processed for any purpose or interest other than those of the data controller.

In addition to the above, the third implied condition is that the discretion of the data processor includes the choice of non-essential means of data processing, such as the location of data storage, the software and methodology used for data processing operations.

There must be a written contract between the data controller and the data processor regarding the data processing, the absence of a contract constitutes an infringement of the GDPR on part of both actors.

The EDPB emphasized that the GDPR also imposes stricter obligations on data processors compared to the previous regulation. In addition, in the data processing agreement, the data controller may indirectly hold the data processor responsible for the performance of the data controller’s obligations under the GDPR, therefore, in order to limit the data controller’s liability, the most important thing is to select a responsible data processor, and conclude a processing agreement which duly takes into account all responsibilities.

  1. A person under the direct control of the data controller or data processor

Compared to the concepts of data controller and data processor, the role under the direct control of the data controller or data processor set out by Article 29 of the GDPR is less frequently discussed, but in practice the majority of natural persons perform data processing operations in this capacity.

This category includes a person who is not separate from the data controller or data processor. For example, neither the managing director nor a department of the company can be considered a separate entity from the company.

This category also includes a person who, although carrying out processing operations on behalf of the controller, has no independent decision-making power over these operations at all. Directly under the direct control are mainly workers and employees, but it is important to note that from the point of view of data protection law, not only workers employed under the Labour Code should be considered as employees, but also, where appropriate, staff employed under a service or agency contract.

When identifying direct control, in addition to the type of legal relationship, it is therefore necessary to examine the decision-making rights of the individual, his or her integration into the organization of the data controller or data processor, and the control exercised by the data controller or data processor.

For persons under direct control, the GDPR contains a single requirement that personal data may not be processed contrary to the instructions of the data controller. It is also possible and recommended in case of the persons under direct control to impose the obligations of the GDPR, as well as to sanction any conduct that infringes data protection law, in a contract or internal regulations.

Should you have any questions regarding the above, feel free to contact us.

CLVPartners news

 

Statement of the EDPB on data processing during the coronavirus epidemic

The European Data Protection Board (“EDPB”) has issued a statement on its website on data processing during the coronavirus epidemic.Please find our summary of the statement below:
1. The conditions of processing health data, as special category of data shall be specified by the national law in accordance with the GDPR. In this regard, the GDPR requires that the lawmaker defines specific measures and the suitable safeguards of the rights of the data subjects.

2. As per the position of the Hungarian Data Protection Authority emphasized, in the event of medical examinations such as body temperature measurement, this safeguard is the presence of a healthcare professional, therefore it is still not possible to implement such measurement at the workplace without the presence of a professional.

3. According to the EDPB’s position, the employers should inform employees if a coronavirus infected person has been identified at the workplace (to take the necessary protective measures), without revealing the identity of said person. The concerned employees shall be informed in advance and their dignity and shall be protected. Information on the infection should be first and foremost disclosed to those entitled to process these data, such as authorities and treating physicians if requested.

As the GDPR allows for a wide range of derogations in national law, we can expect a more detailed regulation of the data processing in relation to the epidemic.

The content of this article is not exhaustive and does not constitute a legal advice. Should you have any specific questions regarding any issues investigated by our articles, please contact us and we will be happy to be at your disposal.

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.