By | Monday January 25th, 2016

Much has been discussed about the right to be forgotten introduced by the new EU Regulation. But is it really something new? The wording of Article 17 Right to erasure (“right to be forgotten”) in the new EU Regulation is all but linear, with constant references to other articles, so its’ interpretation in some places is not easy. In Dlgs. 196/03 deletion of data is addressed, whereas in ‘Article 7 (Right to access Personal Data and Other Rights), addresses where the subject may request the cancellation of data in violation of the law (Art. 7-3b))

 Section 7 (Right to Access Personal Data and Other Rights)

3, A data subject shall have the right to obtain

1. b) erasure, anonymization or blocking of data that have been processed unlawfully, including data whose retention is unnecessary for the purposes for which they have been collected or subsequently processed;

This case is provided for in Article 17 of the EU Regulation (Art. 17 – 1d)

Article 17 Right to erasure (“right to be forgotten”)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(d) they have been unlawfully

Also it might be thought that the provisions of Art. 17(1b), of the EU Regulation can fall into that category, whereas data processing carried out without the consent of the person concerned (after the person concerned has withdrawn consent), is in breach of the law.

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing of the data;

However, it is not the only case that on this subject finds a parallel  between EU Regulation and Legislative Decree 196/03.

Also provisions to ‘Article 17(1a) of the EU Regulation

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

is in part a response to the provisions of Article 16 (Termination of Processing Operations) of Dlgs. 196/03.

Section 16 (Termination of Processing Operations)

Should data processing be terminated, for whatever reason, the data shall be

a) destroyed;

It is more difficult to find a parallel with the provisions of the EU Regulation Article 17(1c)

(c) the data subject objects to the processing of personal data pursuant to Article 19(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data pursuant to Article 19(2);

Dlgs. 196/03 provides for a right of opposition, in Article 7(4a)

A data subject shall have the right to object, in whole or in part,

4. a) on legitimate grounds, to the processing of personal data concerning him/her, even though they are relevant to the purpose of the collection;

but this doesn’t automatically imply deletion of the data. Similarly the provisions of the EU Regulation to Art. 17 (1e)

(e) the data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

does not find an exact response in Dlgs. 196/03, except as provided in the aforementioned Art. 16. (Termination of Processing Operations) .

Category: Legal framework Tags: , , ,

About Giancarlo Butti

Deals with ICT, organization and legislation since the early 80s covering different roles: security manager, project manager, auditor at banking groups, consultant in security and privacy to companies of different sectors and sizes. Performs regular activity of dissemination through articles (over 700), books (21 between books and white papers also used as university texts, 11 collective works within the ABI LAB, Oracle Community for Security and CLUSIT), technical manuals, courses, seminars, conferences… participates in working groups to ABI LAB on Business Continuity, Risk and GDPR, ISACA-AIEA on GDPR and 263, Oracle Community for Security, UNINFO, ASSOGESTIONI and the Committee of experts for the innovation of OMAT360. He is a member of the faculty of ABI Training. He is a partner and proboviro of ISACA-AIEA Member of CLUSIT and BCI. He is certified (LA BS7799), (LA ISO IEC 27001:2013), CRISC, ISM, DPO, CBCI, AMBCI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.