Nowadays, every part of our lives can be digitalized. On daily basis we are asked to share our personal information, or we fill in a form with our personal details and thus constantly exposing private information. Not long ago, our email inboxes were filled with emails from companies we don’t even remember to have solicited services from or subscribed thereto, informing us on the “updates to privacy policies”.
Does it sound familiar?! – Say hello to GDPR!
GDPR is the EU Regulation of the European Parliament and of the Council of 27 April 2016/679 “On the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of such Data” and repealing Directive 95/46/EC (General Data Protection Regulation). A new instrument introducing several improvements inter alia as regards to dealing with data violations.
Globalization and technological progress have profoundly changed the way our data is collected, stored and treated. Before GDPR, the EU Member States have differently implemented the Directive 95/46/EC “On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data” (“Directive of 1995”), resulting in divergences in enforcement.[1] Therefore, the repealing of the old Directive constitutes an ambitious data protection reform, which is considered “the most important change in data privacy regulation in twenty years”[2], and it aims to enact stronger rules on data protection in order for the people to exhibit stronger control over their personal data.
As per the territorial scope, GDPR follows the principle that no matter where the company processing the data is located, inside or outside the European Union, being a European or non-European company, when offering services to European consumers, they must apply and meet GDPR[3] requirements.[4]
Albania is among other countries where data protection is quite an important and relevant topic. While working on the alignment with the EU legislation, Albania has put into its agenda the transposition of the GDPR. In this context, the end of 2020 is foreseen as the timeline within which transposition of GDPR is expected, through the amendments of the current Albanian Data Protection Law.[5]
- So, when this happens, which are the powers we get?
GDPR grants data subjects’ various rights which enable them to object data processing. Accordingly, when a data subject files a claim based on such rights, action must generally be taken without undue delay and, in any event, within one month therefore the time to seize of receipt such claim.[6] Through GDPR, not only there are stricter provisions about what companies can do with our data, but also it grants to each one of us more control over how the personal data is collected and used, as well as ‘forces’ companies to justify every part of processing.
Through, GDPR new rights have been introduced. Therefore, comparing Albanian legislation to the GDPR, there are certain requirements to be provided for, in order to appropriately meet the safeguards of GDPR. The process of fully transposing GDPR would amongst others, require Albanian law to reflect under specific provisions for the data subjects, qualifications regarding the information requirements and rights to rectification, restriction of processing, data portability, object the processing of their personal data.[7]
One of the rights ‘reformed’ by GDPR, which also received much attention from the press after the 2014 judgment from the EU Court of Justice[8], is the ‘right to be forgotten’. The Court ruled that the data subject have a right to request that companies operating search engines, such as Google, that keep personal data for profit should delete links to private information when requested, given that the information is no longer relevant.[9]
- How is ‘right to be forgotten’ going to be applied?
This article takes a closer look at when the data subject can exercise his/her right to be forgotten, and what should the controller do in order to ensure GDPR compliance. In particular, GDPR requires that a data subject should have the right to request the erasure and seizure of further processing of personal data when certain conditions are met. These conditions, introduced in Article 17 of GDPR are as follows:
- where the personal data is no longer necessary in relation to the purposes for which they are collected or otherwise processed;
- where a data subject has withdrawn his/her consent or objects to the processing of personal data concerning him/her; or
- where the processing of his/her personal data does not otherwise comply with the GDPR.[10]
It is estimated that around one-third of internet users, do not have a clear idea what personal information is available online, who owns it, or even where it is located. The spread of cyber information and its misuse has introduced a completely new set of legal challenges for lawyers.[11] Of course, this does not leave carte blanche to anyone who wants to have any information expunged. And of course, it is not an absolute right. GDPR outlines a balance with other rights. This means, one will not enjoy the right to be forgotten if the personal data is considered necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, on the grounds of public interest, for the purposes of scientific or historical researches, or for the establishment, exercise or defence of legal claims.[12]
In practise, under GDPR if you hold personal records of somebody else, for instance their birth date, email or any information which is personal to them, that person can email you to remove all their information and you need to do this as quickly as possible and as accurately as possible, but in any case no longer than thirty days.
What is considered a ‘reform’ through right to be forgotten is that, GDPR gives advantages to the data subjects for exercising this right in a more effective way by giving them a “small set of tools” by detailing, broadening and defining the scope of such right, which can be summarized as follows:
- Reversing the burden of proof when requesting the right to be forgotten. Accordingly, the controller has the obligation to prove that the data cannot be deleted if still needed or if still relevant.
- The data processor must ensure the erasure of these data from third parties as well. GDPR imposes an obligation for the controller who has made the personal data public, to inform third parties of the fact the data subject wants the data to be deleted.
- As explained above, this right is neither absolute nor unconditional. GDPR has outlined exceptions and limitations, taking into account different aspects such as possibility, proportion, costs etc.
Conclusions
Overall, the right to be forgotten, is considered to be the second most difficult GDPR obligation in practice, along with the right to data portability which is ranked as the first one.[13] In principle, this right is not completely new and introduced for the first time by the GDPR since the Directive of 1995 did provide that a person could require for his/her personal data to be deleted once such data is no longer necessary.[14] What is considered fundamental modernisation of data protection rules is the new perspective on how this right may be exercised under GDPR.
Given the past experiences of other different legal systems, the suitable application of the right to be forgotten, requires striking a balance between it and the freedom of expression.[15] Right to be forgotten, even though new as treated under GDPR, it is constantly challenged by other rights and freedoms.
[1] Fourth Progress Report Towards an Effective and Genuine Security Union, COM (2017) 041 final (Jan. 25, 2017), (accessed on 23th of July 2019). Available online:
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0041&from=EN
[2] EU General Data Protection Regulation Portal; (accessed on 19th of July 2019); www.eugdpr.org
[3] See further: Megi Kurti, “The Impact of GDPR on Private Law – Challenges of Business Liability and Personal Data Protection in Albania”; Available online: https://bogalawjournal.com/the-impact-of-gdpr-on-private-law/
[4] General Data Protection Regulation, Article 3
[5] Annual Report (2018), Information and Data Protection Commissioner in Albania; (accessed on 25th of July 2019). Available online:
https://www.idp.al/wp-content/uploads/2019/03/ENGLISH_Annual_Report_2018_KDIMDP.pdf
[6] See: General Data Protection Regulation, Recital no. 59 – The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.
[7] General Data Protection Regulation, Recital no. 156
[8]Judgment of the Court (Grand Chamber), 13 May 2014; Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González; (accessed on 19th of July 2019) Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62012CJ0131
[9] Electronic Privacy Information Center; “Google vs. Spain summary”; (last accessed on 19th of July 2019) https://epic.org/privacy/right-to-be-forgotten/
[10] General Data Protection Regulation, Recital No. 65
[11] “Right to be forgotten – erasing your private information from cyberspace”, (accessed on 25th of July 2019); Available online:
[12] General Data Protection Regulation, Paragraph 3, Article 17
[13] See “IAPP-EYAnnual Privacy Governance Report 2017”; (accessed on 23th of July 2019). Available online:
https://iapp.org/resources/article/iapp-ey-annual-governance-report-2017/
[14] Directive 95/46/EC “On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of such Data”, Article 12
[15] “Not just one, many rights to be forgotten”, Policy review; (accessed on 25th of July 2019). Available online:
https://policyreview.info/articles/analysis/not-just-one-many-rights-be-forgotten
* * * * *
Paola Ibraj
Paola is an Associate at Boga & Associates (2018), where she mainly practices corporate and private law.
Paola has recent significant engagements in the field of legal writing, corporate law issues and contract drafting. She has deep interest in corporate law, with a goal to devote her professional career towards it. She has participated to the 3rd week of United Nation Commission in International Trade Law 48th Commission Session in Vienna.
Paola has previously worked in the Ministry of Justice (2018) and in matters involving Justice Reform in Albania (2016 – 2017), as a representative of the European Law Students Association (ELSA) in Albania, on Coalition Justice for All (USAID project). She has contributed as a researcher in international legal research groups, in cooperation with the Council of Europe and K&L Gates.
Paola holds a Bachelor of Laws and Master of Science in Private Law (2017) from the University of Tirana and has attended an exchange program where she followed International Law Courses in Masaryk University, Czech Republic (2014 – 2015). Further, Paola has obtained two postgraduate certificates from University of Saarbrücken, Germany (2016; 2017).
Comments are closed.