Right to be forgotten

GDPR for HR | 25.05.2020

There is no doubt that one of the fundamental objectives of the GDPR is to increase the level of people’s trust in the digital society.

The right to erase personal data is also known as the “right to be forgotten”.

The right to be forgotten pursuant to art. 17 of the GDPR is actually the right to erasure of the interested person’s data, extended also with reference to the digital society.

It should be clarified that the right to erasure of data, such as erasure of data when they are no longer necessary for the purpose for which they were collected, was already granted, also prior to the GDPR regulation.

In particular, with regard to the mere deletion of data in response to the candidate’s request, the best practice is the one which permits the candidate to have access to his/her personal area and autonomously proceed with the deletion of his/her personal data.

This would be the optimal condition to ensure compliance with the standard requested by the regulation. A specific technology will permit each candidate to register and have his own private area, which allows a control by the candidate himself with reference to the use and possible cancellation of his data. This represents currently the only way, which allows the effective application of the rule.

Just think about how often we happen to file a curriculum vitae in paper form, or to send it to a colleague. How could we then remember all this in case of cancellation request? How would such actions be traced in the absence of a suitable technology?

As already mentioned above, we can speak about “the right to be forgotten” (and not only of cancellation), concerns the specific duty of the data controller who receives a request for cancellation when the data that has been the subject have been “Made public” by the data controller himself.

In such a case, art. 17, paragraph 2, requires the data controller to not only erase data. He must also, “given the available technology and the cost of implementation”, take “reasonable steps, including technical ones” to communicate the request also to the other data controllers or processors who are using the data made public by the data controller.

This obligation, of course, exists when the request of the interested party concerns the cancellation of “any link, copy or reproduction of his personal data”.

It is therefore clear how much this apparently standard rule is actually much more complex than you think, and even more complicated will be its correct implementation.
In fact, it places the obligation on the data controller to become a ” via ” between the interested party and anyone who is processing his/her data.

The recipient of the request seems to have only the duty to report, obviously leaving the responsibility of the other controllers/processors to assess whether or not it should also be accepted by them, taking into account the specific legal basis under which each of them operates.

Moreover, the cross-reading of art. 17 of the GDPR and the principles of transparency and accountability regulated by the GDPR too, could suggest that the duty of reporting information to the interested party must be somehow taken into account.

Essentially, the candidates have the right to ask for the deletion of their personal data. This means that the involved company will have the duty to identify all the places (physical or digital) where such information has been archived (Excel file or e-mail, etc.) and to erase all such data within one month from the request.

This is one of the most delicate elements of the GDPR. In order to avoid incurring in significant penalties, it is advisable to abandon manual management of recruiting processes generally based on Excel sheets, especially by considering that the Excel sheets can be easily duplicated, modified and shared without the knowledge of the owner.

In the SaaS (Software as a Service) model, for example, it is the provider who will guarantee the correct implementation of the obligations relating to the cancellation. In the case of Arca24, in fact, sharing with the outside world is always done through links and never through the transmission of documents. This method is able to guarantee its duly cancellation. At that point, by deactivating or deleting the link, the data would be deleted, without having to remember which platforms the link was shared on.

When we speak about the right to be forgotten under the GDPR we speak about a very complex question, which goes far beyond the right to oblivion applied to the search engine and the news spread through the means of information society.