EDPS participates in fourth Coordinated Enforcement Action: focus on the right to erasure of personal data
Demonstrating our commitment to the consistent application and enforcement of data protection across the EU institutions (EUIs) and the EU as a whole, the EDPS is participating in the European Data Protection Board’s (EDPB) Coordinated Enforcement Action on the right to erasure of personal data.
This is the fourth Coordinated Enforcement Action that the EDPS partakes in alongside 31 data protection authorities (DPAs) of the European Economic Area, since the launch of the initiative, under the Coordinated Enforcement Framework, in 2022. Prior topics concerned the role of data protection officers, the use of cloud services in the public sector, and the right of access to personal data in the EU institutions, bodies, offices and agencies (EUIs) and across the EU.
Wojciech Wiewiórowski, EDPS, said: “With our involvement in this Coordinated Enforcement Action, we walk the talk by continuously advocating for a coherent application of EU data protection law, and the consistent protection of individuals’ personal data, across the EU/EEA. The right to erasure empowers individuals to reclaim their identity in the digital world. It is a complex right to ascertain, therefore our role is to ensure that it is correctly understood and applied within the EUIs.”
The right to erasure - or right to be forgotten - is enshrined in Article 19 of Regulation (EU) 2018/1725 (EUDPR), the EU data protection law for EUIs, and in Article 17 of the General Data Protection Regulation (GDPR) for EU/EEA countries, that have similarities. This right allows individuals to maintain control over their personal data, by requesting its deletion from EUIs or EU/EEA’s public or private entities that are processing this personal data. It is the most frequent right that individuals ascertain.
Importantly, the right to erasure (or right to be forgotten) is not an absolute right; exceptions exist under the EUDPR and GDPR, such as, in the case of compliance with a legal action, for public interest. Therefore, each request to erasure from individuals needs to be analysed on a case-by-case basis by controllers who decide on the processing of individuals’ personal data based on a justified and legal reasoning. The right to erasure therefore challenges the delicate balance between the right to data protection and the collective memory of society.
To carry out this Coordinated Enforcement Action, the EDPS will conduct a fact-finding exercise, including a questionnaire to EUIs’ controllers, based on the analysis of complaints by individuals regarding the right to erasure, to check how they apply the legal obligations of this right. As a follow-up, the EDPS will summarise its findings, draw conclusions on the best and worst practices found, and identify areas for improvement.
The results of this joint action will also be analysed in a coordinated manner with the other DPAs of the EU/EEA to decide on further supervision and enforcement actions, if necessary. The EDPB will publish a report on the outcome of this analysis, once the coordinated enforcement action concludes.
Background information
The rules for data protection in the EU institutions, bodies, offices and agencies, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725. Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
About the right to erasure: The right to erasure or right to be forgotten is the right for any data subject to obtain from the controller of a processing operation without undue delay the erasure of personal where one of the following grounds apply:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based according to point (d) of Article 5(1), or point (a) of Article 10(2), and where there is no other legal ground for the processing;
- the data subject objects to the processing pursuant to Article 23(1) and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
About complaints to the EDPS: The EDPS investigates complaints from individuals about the processing of their personal data carried out by EUIs.
More information on the right to complain to the EDPS and the EDPS’ complaint handling process can be found on the EDPS Website under the Complaints page.