Publishing and removing personal data on the Internet

Consent required

The General Data Protection Regulation (GDPR) contains 6 bases for processing data. One of them is consent. Under the GDPR, in most cases, you need consent from the data subjects to publish their personal data on the Internet.
Did you initially receive consent to post photos or data on the Internet? If so, people can still ask you to delete or change their photos and data later on. This is because people have the right to withdraw or change their consent later. In that case you are obliged to delete or change their personal data.
 

Personal or domestic use

Is your publication intended for personal or domestic use only? If so, an exception applies: the GDPR does not apply here. You therefore do not need permission for publication.
Conditions for personal or domestic use
This exception only applies if:
•    you publish privately, and thus not on behalf of a company;
•    you publish exclusively for your own personal or domestic purposes, i.e. not for professional or commercial purposes (as well);
•    you ensure that the information is visible only to a limited circle of people, such as your family members or friends;
•    the data is not public to everyone (not even to “friends of friends” on Facebook);
•    the data cannot be found via search engines.
 

Note: Are you the administrator of a Facebook page? If so, you are partly responsible for processing the personal data of visitors to that page.

Is the Facebook page intended for a broader audience, such as a platform for an organisation or company? And is it accessible to people other than friends or self-chosen contacts? In that case, it does not concern exclusively personal or domestic use and the GDPR applies.
 

Shielding information
 

On Facebook you can set your profile to be accessible to your friends only. Or that the page is visible to members only. You can do this via the privacy settings. For example, you can set a mandatory password for your weblog or website and shield the pages with personal data from search engines.

Journalistic use

Certain exceptions apply to the GDPR in the event of journalistic publications. This is to ensure there is a balance between privacy protection and freedom of expression.
To qualify as a journalistic exception, it must concern a journalistic activity. This is an activity the sole purpose of which is to communicate information, opinions or ideas to the public. It does not matter which medium is used.
To determine how the right to privacy relates to the right to freedom of expression, you need to weigh up all interests. The following factors, among others, play a role in this:

•    the contribution to a debate of public interest;
•    the extent to which the data subject is known by the public;
•    the subject of the message;
•    the previous behaviour of the data subject;
•    the content, form and consequences of the publication;
•    the manner in and the circumstances under which the information was obtained and its certainty.
Also take into account measures to limit the privacy breach.
 

Note: You must also be able to base a journalistic publication on a legal basis.
 

Consequences of journalistic exception

Does a publication qualify as a journalistic exception? If so you, as an author, do not have to ask consent from the data subjects for the use of their personal data.

Note: Does the journalistic exception apply? Then consent, once given, cannot be withdrawn. For example, consent to publish an interview.

Complaint about a journalistic publication on the Internet

Do you have a complaint about the publication of your personal data in, for example, a news article on the Internet? What you can do depends on whether or not the publication qualifies as a journalistic exception.

No journalistic exception

Is there no journalistic exception? In that case, the GDPR applies. You have the right to request rectification or deletion of your data. You can ask the owner (administrator) of the website for this.
Would you like to have your data rectified? To make this request, you can use our template letter for rectification . To have your personal data removed, you can use the template letter for the deletion of personal data.
Are you unable to reach an agreement with the organisation? In that case, you can submit a complaint to the Dutch Data Protection Authority (DPA).
 

Journalistic exception

Does the journalistic exception apply? In that case, the Dutch Data Protection Authority (DPA) is not authorised to rule on your complaint. However, a court is. Alternatively, you can contact the Netherlands Press Council, which can mediate on your behalf.
 

• Is someone using your personal data for a journalistic purpose? If so, a conflict may arise between the author’s freedom of expression and the protection of your privacy. These fundamental rights are equal. A court must therefore decide which right has more weight in the relevant case. If you want to go to court, you must submit the request yourself. You do not need a lawyer for this. You can however request advice from the Juridisch Loket legal advice service.
•   The Netherlands Press Council is an independent body you can contact in the event of a complaint about journalistic activities. The Netherlands Press Council can mediate between you and the website or the journalist involved. You can read more about the complaint procedure on the Netherlands Press Council website.

Publication of personal data by the government

The government holds a lot of information. Sometimes the government is legally obliged to make that information public. However, government organisations, such as municipalities, increasingly make information public of their own accord. For example, on their website.
They do this to be transparent about what they do. Does that information contain personal data? If so, the organisation must weigh the importance of information being public against the right to privacy before publication.

Limit the breach of privacy
 

A government organisation may not unnecessarily publish your personal data. The organisation must make this assessment in advance. Is there no need to publish your personal data? In that case, the organisation must remove it from a document before publication. Alternatively, the organisation can decide to publish only part of the document.

Asking consent
 

The government organisation may also ask you for consent to make certain data public. However, you are never obliged to give consent. And you can always withdraw consent.

Note: A Dutch government organisation may never make your signature and citizen service number (BSN) public.

Are your details incorrect? Or, for example, is your data irrelevant? In that case, you can ask the government organisation to correct or supplement your data.
In a number of situations, an organisation must delete your data on the Internet. For example, if:
•    your data is no longer necessary for the purpose for which it was collected;
•    you withdraw your consent or object to the processing of your data.
Example: digital construction archive
Municipalities are legally obliged to keep a public register of all building permits applied for and granted. Municipalities can choose to make this register accessible via the Internet. This is known as the digital construction archive.
The municipality may not publish personal data in the digital construction archive that is not necessary. Such as the telephone numbers and email addresses of the people who have applied for a building permit.

Removing data from a website
 

Is your data on a website even though you don’t want it to be? In that case you can submit a request for removal. For this you need to contact the owner of the website. You can use our template letter for the deletion of personal data to do so. When your data is no longer on that website, it will also disappear from search engine results.
Do you believe the website is unfairly rejecting your request? In that case, you can submit a complaint to the Dutch Data Protection Authority (DPA).

Remove data from forums
 

Do you post data or statements on a forum via a post or a response to a post? In doing so, you give the owner of this website permission to publish this data. You cannot request for your comment to be deleted completely. You can, however, ask the owner of the website to delete data that can be traced back to you as a person.

Removing data from a genealogical website

You can only have personal data removed from a genealogy website (family tree research) if it concerns your own data. Family members can authorise you to have their data deleted if they are unable to do so themselves. You must submit your request to the genealogist who owns the website.

Deceased family members
 

You cannot have data of deceased family members removed. The General Data Protection Regulation (GDPR) does not apply to deceased persons, unless the personal data of your deceased family member also relates to you. In that case the GDPR does apply.
This may be the case, for example, with hereditary diseases. Your family tree may list diseases that caused family members to die. This information may also apply to you or other surviving relatives and therefore qualify as personal data. The genealogist may only publish this information if the surviving relatives have given permission for this.

Removing personal data of children
 

Check with your child first whether it is possible to remove the data yourself. For example, if your child has posted a photo on Instagram or on their own website.
Are you unable to delete the data yourself and is your child under 16? In that case, ask the website owner to delete your child’s personal data. Children aged 16 or older can themselves ask the website owner to delete their data.
Website response to request for removal
A website does not always have to comply with your request for removal. Even though you have the right to be forgotten. This is because other rules play a role as well. Such as the right to freedom of expression and information.
To assess whether a website is obliged to delete your data, the following questions play a role:
1.    Does it concern personal data?
For example, a general review about a campsite often does not contain personal data. The right to removal as stipulated under privacy laws does not apply in that case, because it does not concern a person. However, if the review is very specifically about the owner of a campsite, the right to removal does apply. As in that case a review can have an impact on someone’s private life.
Note: do you want to have your personal data deleted on account of libel or slander? In that case, you need to report it to the police as an offence prosecutable only on complaint.
2.    Does the website have a basis?
In other words: does the site have a legal right to process personal data? If not, the website must delete your personal data immediately. 
3.    Does the information qualify as a journalistic exception or classed as academic, artistic or literary forms of expression? 
For example, photos and videos of a band that no longer exists can be classed as a form of artistic expression.
4.    What is the result of weighing the interest between the right to erasure and the right to freedom of expression and information?
People have the right to express their opinions and also the right to information. For example, via review sites about healthcare providers, restaurants or hotels. Therefore, a website cannot simply be obliged to delete personal data. There must be a good reason for this. Good reasons may be, for example, that the information is outdated and no longer serves a general interest, but relates to someone’s private life.
No longer traceable to you as a person
If a website must comply with your request for removal, the information concerned may no longer be traceable to you as a person. This can be achieved, for example, by removing or anonymising the information.

Withdrawing consent
 

Did you previously give permission to place your data on a certain website, but you have since changed your mind? If so, you can always withdraw your consent. For this you can use the template letter to withdraw consent from the DPA. If you withdraw your consent, publication of your data on that website is no longer permitted. This applies from the moment you withdraw your consent.

Note: You cannot therefore hold anyone accountable for any damage caused by the publication of your data before you withdrew your consent.

Removing data from a search engine
 

If your personal data remains on the website, you can submit requests for removal to search engines instead. Even though your personal data will remain on the website, but they will no longer appear when someone types your name into a search engine. Search engines assess per situation whether they must comply with a request for removal. Sometimes the removal is mandatory, but not always. 

Right to be forgotten

In certain situations you have the right to be forgotten. In the GDPR this is called the “right to oblivion” or the right to have data deleted (erased). This right also applies to the search results of a search engine. This involves removing search results that appear when you search for your name. Would you like to have a search result removed? In that case, you must refer to the pages where the information about you can be found.
A search engine must also comply with your request for removal if your name has not (yet) been deleted from the web page to which the search result refers. Even when the relevant web page reference to you is legitimate.

Exception to removal from search results

Sometimes the public’s interest in access to the information outweighs a person’s privacy. In such a case, a search engine does not have to comply with a request for removal. This mainly concerns weighing the role that someone plays in public life. And what impact the reference has on that person’s private life.
Assessing a request for removal is therefore customisation. The following matters play an important role in the assessment:
•    The person’s interest in having the search results removed.
•    The public’s interest in having access to the information.
•    Does the person play a role in public life? For example, does it concern a politician or someone who appears in the search results based on their position?
•    What is the nature of the information published? For example: is the data related to the person’s working life? Do the search results pose a particular risk to the person? Is the person a minor?
•    What is the type of source publishing the information? Has the information been published for a journalistic purpose?

Submitting a request for removal

Practical information about submitting a request for removal to various search engines can be found at veiliginternetten.nl. 

Request denied
 

Did a search engine reject your request for removal? And you don’t agree with the decision? In that case, you can take the following steps.
•    Contact the search engine. Alternatively, file a complaint. You may still be able to come to an agreement together.
•    If you have not already done so, contact the owner of the website to which the search result refers. You can use our template letter for the deletion of personal data to do so. When your data is no longer on that website, it also disappears from the search engine results.
•    Are you unable to work it out? In that case, you can go to court or ask the DPA to mediate. This is stipulated in the General Data Protection Regulation (Implementation) Act (UAVG).

Going to court
 

You can opt to submit your case to the (civil) court. You can do this by submitting a written request to have your request for removal granted, pursuant to Article 35 of the UAVG. You can send this request yourself, without the assistance of a lawyer. You can however request advice from the Juridisch Loket legal advice service, if you want. The court can order the search engine to remove certain links from the results when searching on your name.

Mediation by the Dutch Data Protection Authority (DPA)

You can also ask the DPA to mediate, pursuant to Article 36 UAVG. Note: you must submit your request to the DPA within 6 weeks of receiving the search engine’s rejection. In order to mediate, the DPA needs copies of your request for removal and the search engine’s rejection.

You can send your request to:
Dutch Data Protection Authority (DPA)
(Autoriteit Persoonsgegevens)
Postbus 93374
2509 AJ Den Haag, the Netherlands.
Upon receipt, the Dutch Data Protection Authority (DPA) will assess:
•    whether your request meets the legal requirements;
•    whether there is sufficient reason to process your request.
If mediation by the DPA is unsuccessful, you can still go to court.