margin of autonomy of the controller to choose the means to protect the data. This impact assessment is required, according to the Regulation, only when data processing presents“ specific risks” for individual rights and freedoms, such as those involving certain sensitive information or a systematic and extensive evaluation or prediction of personal aspects relating to a natural person, which is based on automated processing, and on which measures are based that produce legal effects or significantly affect the individual 38. To fulfil this duty the controller itself is expected to evaluate the likelihood and severity of risks for individual rights in the light of the nature, the scope, the context and the purposes of the processing.
Personal data breaches, the GDPR also acknowledges, may entail potentially severe damages to the rights of individuals. Therefore, as soon as the controller becomes aware that a personal data breach has occurred, the controller should without undue delay notify the breach to the competent supervisory authority, as well as the data subject, unless the controller is able to demonstrate that the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals( Articles 31 and 32) 39.
Lastly, the“ right to be forgotten” allows data subjects to request that search engines remove links to pages deemed private, even if the pages themselves remain on the Internet. This novel right has been justified by the need to protect the individual’ s autonomy to decide what aspects of his / her life are to be kept in a private or public domain( Mantelero, 2013, p. 230). In its decision on Case C-131 / 12( Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos( AEPD), Mario Costeja González) the European Court of Justice clarified that search engines like Google could not escape their responsibilities before EU law when handling personal data 40. The Court recognised that when the processing of personal data is carried out by a search engine, it may have a greater impact on an individual’ s right to data protection as it enables a more detailed and organized gathering of information on said individual, while making it more easily accessible. The Court further elucidated that individuals have the right, under certain conditions, to request search engines to remove links leading to information about them( paragraph 93 of the ruling). The Court, however, made it clear that this right is not absolute and needs to be balanced against other fundamental rights, namely the freedom of expression( paragraph 85 of the ruling). A case-by-case assessment is, thus, required whereby the type of information in question, its sensitivity for the individual’ s private life and the interest of the public in having access to that information, are pondered( Mantelero, 2013, p. 232-233). The Court left no doubt, in its decision, that it is up to Google to assess deletion requests and to apply the criteria mentioned in EU law and the Court’ s judgment. As a result, a major power is being assigned to Google and, inherently, to other data controllers, to determine whether to delete or keep specific information online, one that may only be controlled ex-post, and under complaint, by national
38 Whereas 66a GDPR.
39 Whereas 67 and Whereas 67a new GDPR.
40 Case C-131 / 12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos( AEPD), Mario
Costeja González( 2014) ECR. Available at: < http:// curia. europa. eu / juris / liste. jsf? num = C-131 / 12 >( last accessed 18.03.2016).
56