How to handle requests for deletion of personal data ("right to be forgotten")?

In case a Service Owner receives a subject access request concerning the right to deletion, in principle the request should be granted if:

  1. The Data Subject withdraws consent and processing was based on consent;
  2. The data were collected in the legitimate interests of the Organisation and those interests cannot be considered as core to the purpose of the Organisation;
  3. The data were collected and processed not in compliance with OC11;
  4. The data are no longer necessary for the originally stated purpose and there is no compatible ongoing purpose.
  5. There is no ongoing processing for which there is an appropriate legal basis (e.g retaining information to fulfil contractual or legal obligations)

In general the request should not be granted if the data are part of journalistic publications.

The following situations should always be referred to the ODP:

  1. There are archiving interests or scientific or historical research purposes to keep these data;
  2. The Data Subject is claiming harms arising from the processing;
  3. When Data Subjects may ask that search engines remove certain results about them (without the underlying documents/data being removed). Service owners in charge of search engines running at CERN should be prepared to execute valid requests locally and may refer Data Subjects to external search engines such as Google (https://www.google.com/webmasters/tools/legal-removal-request?complaint_... and https://transparencyreport.google.com/eu-privacy/overview?hl=en) for more complete removal (de-listing).