on on personal data violations. Google,
as a data controller, has already been
abiding by Article 12 of the Directive
95/46/EC and removing personal data
content accordingly. Once the GDPR co-
mes into force, search engines will once
again be the most prominent party to all
disputes. Additionally, companies who
process personal data for marketing
purposes will also have to abide by the
regulation. As long as they process the
personal data of data subjects who are
citizens of EU Member States.
SANCTIONS IN GDPR
The companies who fail to secure the
rights of the data subjects and violate
their rights will face costly charges. As
outlined in Article 83 (4) of the GDPR,
if the cause of the infringement, or in
other words non-compliance, is found
to be regarding the controller or the
processor, the certification body or mo-
nitoring body, the administrative fine
could be up to 10,000,000 EUR or 2%
of worldwide turnover. Similarly, ac-
cording to paragraph (5) of the same
Article, Data protection authorities will
have the right to impose fines of up to
20,000,000 EUR or 4% of the annual
worldwide turnover of the company, if
the regulations core principles are vio-
lated. These include the processing of
the data, the rights of the data subject
and obligations pursuant to Member
State law (1). Additionally, The EU com-
mission, reversed the burden of proof
with the GDPR. Individuals will no lon-
ger have to prove why they need the
personal data removed but instead, the
companies will have to prove that the
data cannot be deleted because it’s still
relevant and necessary (2).
RIGHT TO BE FORGOTTEN VS.
FREEDOM OF EXPRESSION
Discussions about how the right to era-
sure may undermine freedom of expres-
sion and access to information is taking
place all over the globe. It has been ar-
gued that deleting certain news links
about certain people, may be giving
criminals a blank slate and setting them
free from the burden of their past mis-
haps. Whether this is a positive aspect
IT IS PREDOMINANTLY CLEAR
THAT THE GDPR HAS PROVIDED
A PROFOUND GROUNDWORK
FOR HOW THE RIGHT TO
ERASURE CAN BE EXERCISED.
THE RIGHTS OF THE DATA
SUBJECT HAVE BEEN GUARDED
AGAINST POTENTIAL PROBLEMS
ARISING AFTER THE DATA HAS
BEEN OBTAINED.
or not is a controversial topic and cur-
rently debated around the world.
In a case concerning the removal of
personal data from a search engine, the
European Court of Justice held that ‘the
right to be forgotten is not absolute but
will always need to be balanced against
other rights, such as the freedom of exp-
ression and the rights of the media’ (3).
In this case (c-131/12), a Spanish law-
yer, Mario Costeja Gonzales, requested
that news about the foreclosure on his
house be removed from the website of a
local newspaper. Years had passed since
the tim e of the hardship he had encoun-
tered and he had eventually managed to
turn his life around. However, the news
about his economic adversity had re-
mained on the internet and popped up
every time he typed his name into the
search engine. Now that the content of
the news was irrelevant and inaccura-
te, Mr. Gonzales wanted the links to be
removed. The court made the decision
to grant Mr. Gonzales the right to erasu-
re and ultimately laid the basis for the
right to be forgotten (4). Ever since this
decision, there have been numerous
discussions about how this right will
be balanced against other fundamental
rights. The freedom of expression under
Article 10 of the European Conventi-
on on Human Rights, isn’t an absolute
right. The enforcement of this right ne-
eds to be weighed against other rights
concerning the privacy of individuals.
As a result, the European Court of Justi-
ce has ruled that all disputes concerning
the issue of personal data erasure, sho-
uld be dealt with on a case by case basis
(5). This will allow the court to make
well-balanced decisions, since they’ll be
reviewing every case based on its indi-
vidual merits.
Article 17 (3) of GDPR on the other hand,
specifically mentions the circumstances
in which Article 17 (1) and Article 17
(2) will not be enforceable. If processing
of personal data is necessary for certain
reasons, the data subject will not be able
to invoke his or her rights identified un-
der Article 17 (1) and 17 (2).
The reasons which override the right
to erasure include the exercising of the
right of freedom of expression and in-
formation, for compliance with a legal
obligation, for reasons of public interest
in the area of public health, for achie-
ving purposes in the public interest, sci-
entific or historical research purposes
or statistical purposes and finally for
the establishment, exercise or defence
of legal claims. The balance aspect of
the right is defined under this parag-
raph. The European Council has written
an evidently clear regulation which has
set guidelines for the right. Both the re-
asons for when an individual can and
reasons for when an individual can’t in-
voke his or her right to be forgotten is
spelled out distinctly, leaving little room
for confusion.
TURKISH DATA PROTECTION LAW
(TDPL)
After years of debate and waiting The
Turkish Data Protection Law (no 6698
and originally named “Kişisel Verilerin
Korunması Kanunu”) has published in
Official Gazette in 07.04.2016.
The right to erasure, which has also
been cited as the ‘right to be forgotten’
also exists in a similar manner under
the TPDL. Article 7 of the law, renders it
possible for the data subject to request
the data controller to ‘erase’, ‘destroy’
or make the personal data ‘anonymo-
us’. Be that as it may, the vagueness of
this particular article is an invitation to
potential problems arising with regards
to the right. TDPL only seems to allow
the invoking of this right if the reasons
for processing the data have become
redundant or if the data was attained
unlawfully. Regardless, the right to be
forgotten isn’t an absolute right and is
dependent on the specific situation of
the data subject and the nature of the
obtained data.
47