The delicate balance of the right to be forgotten: new guidelines for search engines published

Lawyer Vincenzo Colarocco

In accordance with the provisions of Article 70(1)(e) of Regulation (EU) No 679/2016 (“GDPR”), on 2 December 2019 the European Data Protection Board (“EDPB” or the “Committee”) adopted guidelines on the relationship between the right to be forgotten and search engines (hereinafter the “Guidelines”, available at the following link: The purpose of the Guidelines is to provide a correct interpretation of the right to be forgotten (pursuant to Art. 17 GDPR) and of the right to object to the processing (pursuant to Art. 21 GDPR) in the light of what has been established by the European Court of Justice following the outcome of the well-known case C-131/12 (Google Spain SL and Google Inc. c.). Agencia Española de Protección de Datos “AEPD” and Mario Costeja González, judgment of 13 May 2014). In the introduction, the EDPB points out that each request for cancellation must trace its legitimacy in the wide range of cases provided for by Art. 17 GDPR, specifying how, in practice, some legal bases will be more frequent – and more relevant – than others. For example, the Committee points out that, in the event that a data subject considers that a specific news pertaining to him or her is now obsolete, he or she can justify his or her request to be forgotten by search engines by virtue of the provision set forth in Article 17, paragraph 1, letter a) of the GDPR concerning the cases in which “personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed”. On the other hand, it seems unlikely that a request for deletion will be made on the basis of a revocation of consent previously given (pursuant to Article 17(1)(b) of the GDPR) because, if there is actually consent to the legitimacy of the processing, such consent will have been given to the web editor and not to the search engine which indexes the data. The Guidelines therefore focus on cases where, in line with the provisions of Article 17(3) GDPR, data controllers may not comply with a request for deletion. Among the above circumstances – which can be derived overall from the aforementioned article – the EDPB focuses on the most complex cases: the balance between the right to be forgotten and the right to freedom of expression and information, pointing out that, inevitably, in the context of this assessment, will detect a variety of factors such as: the nature of the data and the relative degree of “sensitivity”; the real interest of Internet users in accessing the information for which deletion is requested; the possible public role played by the data subject requesting it.

A controversial decision from Italian Administrative Judges on the appointment of Data Protection Officers

Lawyer Vincenzo Colarocco

Among the factors that most contribute to decreasing the relevance of the DPO’s role are the professional selection methods. On the subject, the Administrative Court of the Puglia Region intervened on 13 September, with sentence n. 1468/2019, from which it is possible to deduce important considerations regarding the procedure for the designation of the Data Protection Officer.

The decision issued, has the effect of canceling the award of a two-year DPO assignment to a limited liability company, which had appointed, for the DPO role, an external consultant. According to the judges, indeed, based on an authentic interpretation of the Guidelines on Data Protection Officers (WP243), the company had proceeded to designate the DPO by appointing a professional external to the company, without specifying and proving that the latter belonged to that same company. Consequently, according to this interpretation, the subject who performs the functions of Data Protection Officer in the case of entrustment to a juridical person of the assignment, must be an employee of the company that offers the DPO service, as long as it is not possible to appoint an external professional.

The ruling of the judges, although it deals with the public sector, expresses a principle that has expansive potential even in the private sector, that, if it could be shared, it would make illegitimate a considerable number of appointments of DPO made in favor of legal persons, since the latter will constantly avail themselves of external professionals, who should guarantee specialist knowledge of data protection legislation and practices, as well as the ability to perform the tasks required by art. 37, par. 5 of the GDPR.

Transparency: EDPB Guidelines on video surveillance

Lawyer Vincenzo Colarocco

On 10 June 2019, the European Data Protection Board (EDPB) adopted guidelines no. 3/2019 on data processing in video surveillance, which clarify the terms of the general data protection regulation that apply to the processing of personal data when using video devices, and aim to ensure the consistent application of the GDPR on the subject.

Briefly, with reference to the information to be given to data subjects, the two-level structure is confirmed: summary information (warning sign) and complete information (available for example on the website). The sign must be placed near the camera and must contain all the essential information required by the GDPR. Below is the example of the new version of the information sign provided by the same guidelines.

What the first sanctions reveal and what are the choices of the Supervisory Authorities?

Lawyer Vincenzo Colarocco

The supervisory authorities – EU privacy guarantors – have so far taken a reasonable and considered approach to sanctions for non-compliance with the Gdpr, as provided for in the same regulation, which states that sanctions must in any case be effective, proportionate and dissuasive. For example:


Authority Fine () Quoted Art. Summary
French Data Protection Authority (CNIL) 50,000,000 for Google Inc. Art. 13 GDPR, Art. 14 GDPR, Art. 6 GDPR, Art. 4 nr. 11 GDPR, Art. 5 GDPR Lack of transparency (Art. 5 GDPR), insufficient information (Art. 13 / 14 GDPR) and lack of legal basis (Art. 6 GDPR). The obtained consents had not been given “specific” and not “unambigous” (Art. 4 nr. 11 GDPR).
Italian Data Protection Authority (Garante) 50,000 for the Italian political party Movimento 5 Stelle Art. 32 GDPR Insufficient technical and organisational measures to ensure information security
Information Commissioner (ICO) 204,600,000 for British Airways Art. 32 GDPR Insufficient technical and organisational measures to ensure information security

See the list in detail for a better overview.

The State of health of data protection: Communication from the European Commission to the European Parliament and the European Council of 24 july 2019

Lawyer Vincenzo Colarocco

The European Commission published on 24.7.2019 a “Communication to the European Parliament and the Council” entitled “Data protection rules as a trust-enabler in the EU and beyond – taking stock” outlining the current state of data protection in the EU, with a particular focus on the impact of the GDPR (the framework will need to be complemented by the e-Privacy Regulation, currently under preparation).

Most Member States have put in place the necessary legal framework and the new system strengthening the enforcement of data protection rules is coming into operation. The Commission has noted increased awareness among citizens who increasingly exercise their rights. The EU data protection legislative framework has become the cornerstone of the European civil society innovation project.

The European project covers health and research, artificial intelligence, transport, energy, electoral policies, competition and law enforcement.

Health data: new Council of Europe guidelines

Lawyer Vincenzo Colarocco

The Council of Europe, with a recommendation adopted on last 27 March (hereinafter referred to as the “Recommendation”), has provided a set of guidelines for the Member States with the aim of guiding them in the proper processing of health data.

The clear intention of the above European body is to ensure, in law and in practice, that the processing of such special categories of data under Article 9 of EU Regulation 679/2016 (“GDPR” or “Regulation”) will be implemented in full respect of human rights, at a particular historical time when the use of new technologies is quickly increasing[1]. This assumption implies the need to set up the treatment considering the cornerstones set at the basis of the Regulation:  privacy by design and privacy by default as regulated by art. 32 of the GDPR. Therefore, the technical and organisational measures to be implemented should be incorporated from the design phase of any system that processes health data. In addition, in order to further implement these principles, the Recommendation specifies that compliance with these provisions should be regularly reviewed throughout the entire life cycle of the processing and that the Controller must carry out, before starting the processing and at regular intervals, an assessment of the potential impact in terms of data protection and respect for privacy, including an evaluation  about measures to mitigate the risk.

The Recommendation also sets out some interesting clarifications on the legal basis that could legitimize the processing of health data. Established that the basis of said treatment consists in the informed consent of the data subject (according to Art. 9 of the GDPR), Recommendation also provides, alternatively, two further circumstances which would seem to exclude the prior collection of a consent:

  1. when the processing is necessary for the execution of a contract concluded by the data subject with a health care worker submitted to conditions defined by law, including the obligation of secrecy;
  2. when such data have been made public by the data subject himself.

With reference to the timing of storage (“retention”) to be applied to the category of health data, the Recommendation provides that, if adequate security measures are in place, the retention may be extended[2] when processing is envisaged for purposes of storage in the public interest or for scientific or historical purposes or, again, for research and statistics. In this latter case, the data should, in principle, be rendered anonymous as soon as research, archiving or statistical studies allow; if this is not possible, pseudonymisation could be used to safeguard the fundamental rights and freedoms of the data subjects.

In conclusion, it is clear that the Recommendation follows almost blindly the requirements of the GDPR, but in any case it must be pointed the importance and relevance of these provisions in light of the increasing digitization, that, necessarily, also involves the processing of personal data. This phenomenon evidently leads to an improvement in medical care and patient care, but inevitably causes an exponential increase in the amount of health data submitted to processing operations and, as a result, it determines the necessity to apply legal and technical measures that allow effective protection of each individual.



[1] The Recommendation also outlines indications regarding the processing of health data collected through mobile devices which, whether implanted in the individual or not, may reveal information about his physical or mental state, or which have, as their object, any information concerning health care and social care benefits.

[2] Therefore, by exceeding the storage periods strictly necessary for the purpose of patient’s caring.

Media: any information that can identify a victim of sexual violence, even indirectly, is prohibited

Lawyer Vincenzo Colarocco

The Italian Data Protection Authority has reiterated, with some recent decisions (see inter alia No. 906580790657829065800 in Italian language) the principle that prohibits the media to publish information that can make identifiable, even indirectly, a victim of sexual violence.

Article. 137 of the Privacy Code provided -and still provide in the new text of Article 12, paragraph 1(c) of Legislative Decree 101/2018– that in the event of disclosure or communication of personal data for journalistic purposes the limitations imposed on freedom of the press, to protect the rights and freedoms of persons, shall be left unprejudiced, and, in particular, the limit of materiality of the information with regard to facts of public interest.

The Authority stated that this limit must be interpreted with particular strictness when are considered data suitable for identifying victims of crimes, even more so with reference to news concerning episodes of sexual violence, given the special protection afforded by the law to the confidentiality of the persons injured by such crimes.

The diffusion within an article of information suitable to make identifiable, even if indirectly, the victim, is in contrast with the requirements of protection of the dignity of the same, also according to the Article 8, paragraph 1, of the code of practice concerning the processing of personal data in the exercise of journalistic activities.

The Authority reminded that in the event of non-compliance with the prohibition, the data controller, in this case the publisher, may also incur the new administrative sanctions introduced by the GDPR, in Article 83, paragraph 5(e), which can reach up to 20 million of euro or 4% of the total annual turnover in the previous year.

Guidelines on the territorial scope of the GDPR

Lawyer Vincenzo Colarocco

The guidelines 3/2018 clarify some aspects of article 3 of the GDPR which, as known, requires many big players in the digital world to comply with the EU data legislation.

In the specific case, for instance, how can establish when an Asian company is required to comply with the GDPR? What about those who market their products through an e-commerce portal: the opening of an office in Italy is considered as an establishment?

EU Data Protection Authorities intervened to answer these and other more or less complex questions in order to facilitate the understanding and, therefore, the application of the legal provision. Article 3 of the GDPR lays down two main criteria: the “establishment” and the “object of processing of personal data”. If one of these two criteria is met, the relevant provisions of the GDPR will apply. Moreover, paragraph 3 settles the application of the current legislation in the case of processing of personal data by a data controller that is not established in the European Union but in a region subject to the law of a Member State under international public law.

Clearly, these Guidelines will have the effect to produce strong consequences both on institutions and on european and foreign companies. This is exactly why the European Data Protection Board has submitted the text for public consultation before its final approval.

Therefore, it is expected the final text that will surely be useful in order to guarantee a proper interpretation of the EU regulation.