Imagine that an Internet service has ToS that request of the user not to divulge personal information, and then some users have stored personal information of theirs in the service nonetheless.
Based on article 6(1), processing of personal data is only lawful if a legitimate basis applies:
- Processing shall be lawful only if and to the extent that at least one of the following applies: [...]
As the Internet service did not want to process personal data, probably none of those legitimate basis applies, making the processing unlawful.
This means the Internet service must remove the personal data as soon as it knows about it. However the Internet service is not required to actively monitor. This is similar to other kinds of unlawful data, such as copyright violations. (I make the assumption here that the Internet service does not filter content it shows, so all content uploaded by users is shown unmodified).
Which of the GDPR obligations does the service provider have to undertake or actively fulfil in this case?
Basically none. The GDPR does not apply because the Internet service does not know it is processing personal data. (Based on the Tos, it even avoids to process personal data). And after it knows, it removed the personal data. In particular this is not a personal data breach, so those rules don't apply either. The only part that would apply is the right of erasure, in particular Art. 17(1)(d):
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(d) the personal data have been unlawfully processed;
It would probably be required to have a formal notice and takedown procedure. But that would not be specific for the GDPR.
