8

Data controllers must delete the users' personal data if they are asked to do so, according to the GDPR, except in some cases that don't really apply here. But what if that personal data has ended up somewhere else on the internet, maybe on a search engine like Google, or maybe in multiple places that might even be difficult to spot completely, often because some crawling bots have copied the data? I'm not talking about a data breach, where somebody gets unexpected and unauthorized access to data that is supposed to be private. I'm talking about data that is publicly displayed on a website, so anybody (crawling bots included) can access it. It could be a username, an email address, a little picture of you as an avatar, etc.

So here are the questions:

Who is responsible for the deletion of personal information that ended up on other websites? Should the user try to get the data deleted, or should the original website do it? For example, if a user asks me to delete some data from my website, should I also try to have it removed from Google or could I just tell the user it's none of my business and that they should go ask Google on their own?

Should a user expect all this to happen as "the way internet works", or should anything be made clear in the privacy policy? For example saying "The part of your personal data that can be publicly accessed on the internet is likely to end up on other websites that we cannot control and that might not comply with the GDPR at all"?

Improve this question

1 Answer 1

Reset to default
4

See Art. 17(2) GDPR:

  1. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

So the controller must tell all other controllers (like google) to delete the data.

The privacy policy must include the fact that data is made public.

Improve this answer
2
  • 2
    The quote from the GDPR is very relevant, thanks. However I don't agree about the data breach: if the personal data was supposed to be private, then yes, it would be a data breach; but if the data is supposed to be public (and the users are aware of this), then it can't be a data breach. I believe here we are facing an inherent problem of the internet: once you make any data public, you basically cannot control it anymore. Therefore IMO it wouldn't make much sense for GDPR to apply to public data. I guess we should probably struggle to keep most user data private by default anyway.
    – reed
    Commented Sep 13, 2018 at 17:38
  • 1
    I found this about data breaches, combined with the definition from Art. 4 GDPR, I have to agree with you that this example is not a data breach. I will delete the last two paragraphs of my answer. I come to the conclusion that I am not able to answer your second question.
    – wimh
    Commented Sep 13, 2018 at 18:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .