The technological development and the increased internet usage have challenged the protection of personal data. The Directive 95/46/EC of the European Parliament and of the Council was
adopted in 1995, without any knowledge of the huge development of the internet and its impact on the protection of natural persons and their personal data.
In 2010 the European Commission announced their concerns due to the risks of sharing personal data online. They argued for the need of a new legislation regarding the data protection rules.
The Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or GDPR) was adopted in April 2016 and came into force 25 May 2018.
Under Article 17 of the GDPR the data subject has the right to erasure and a right to be forgotten. The right to be forgotten is an extension of the right to erasure of which the data subject will be
able to request complete erasure in any electronic data processing. This thesis examines the obligations of the controller according to the rules regarding the right of the data subject to obtain erasure of personal data. To analyze these obligations of the controller, the thesis is divided into 4 parts. The first part is an overall introduction to the process and the initiatives behind the adoption of the GDPR. The
second part explains and analyzes the concept of erasure and the obligations of the controller to erase the personal data of a data subject under Article 17(1). Furthermore, the cases in which
Article 17(1) and 17(2) do not apply will be presented. The third part is an analyze of the obligations of the controller to inform other controller when the controller has made the personal
data of the data subject public under Article 17(2) or when the controller has carried out the personal data to a recipient. The fourth part consider the Google Spain case and its contribution to
the understanding of the right to be forgotten, since no cases are to be found in Danish case law.
The conclusion of this thesis is that the obligations of the controller is not fully clarified due to the limited amount of case law. The controller is obligated to erase the personal data of a data subject
if at least one condition under Article 17(1) are met and no other rule prevail the data processing. The controller has the responsibility to assess whether the data subject has the right to erasure on
behalf of the concrete situation. Future case law will hopefully clarify the interpretation of the right to erasure and right to be forgotten.
|Educations||MSc in Auditing, (Graduate Programme) Final Thesis|
|Number of pages||88|
|Supervisors||Vishv Priya Kohli|