News
Data protection18.08.2020

Written By

Søren Terp Kristophersen

Associate

Don’t forget the right to be forgotten

Søren Terp Kristophersen

Associate

18.08.2020

The Data Protection Agency recently issued serious criticism of an employer who did not respond adequately after receiving a deletion request relating to video content from a former employee.

NVI_Portrætter_done_040_web.jpg

A data controller must, without undue delay, delete the personal data of a data subject if the processing of the data is based on consent and that consent is withdrawn, unless the data controller has another processing basis to support the processing. In this case, the Data Protection Agency had to decide whether an employer had fulfilled its obligations in this regard.

The case involved a former employee of a consulting firm who, during his employment, had given consent for the consulting firm to publish photos and videos of him for use in promotional material on the company's website, leaflets, newsletters and other external material.

During the employee’s employment, a number of advertising videos were recorded, which included the employee in question, and posted on the consulting firm's website and YouTube channel. Following the termination of the employment relationship, the employee asked the consulting firm to remove a video of him from YouTube. The firm confirmed the same day that it would cut him out of all commercials. Around two weeks later, the firm confirmed that he had now been cut out of the YouTube commercial, stating that no further changes to the video material would be made as he had consented to the firm’s use of the videos.

When the former employee realised that he continued to appear in the firm’s marketing material, he complained to the Agency.

An unnecessarily slow deletion process
Initially, the Agency noted that the company had based its processing of the personal data on the employee’s consent and that this consent had to be considered withdrawn at the request for deletion.

The Agency noted that after three months the employee was still appearing in a video on the consulting firm’s website as well as in a video on the company’s YouTube channel. The Agency therefore expressed serious criticism for the consulting firm’s failure to fulfil its obligation to delete the videos in which the employee appeared without undue delay.

Norrbom Vinding notes

  • that the decision shows that employers must carefully consider whether a request for deletion constitutes a withdrawal of consent, as the starting point is that any personal data processed on the basis of the consent must be deleted without undue delay, unless the employer (already) has another lawful basis for the processing; and
  • that the specific situation also illustrates the general weakness of basing processing on consent, since consent is relatively easy for the data subject to withdraw; but
  • that it is stated, however, in the Agency's guidance on data protection in the employment context that processing of images, including videos, of employees will often be possible only on the basis of consent.

The content of the above is not, and should not be a substitute for legal advice.

More about the subject

NewsData protection12.10.2020

Right of access to internal working documents? Must the names of employees be disclosed?

According to the Data Protection Agency, an insurance company was justified in not providing access to an internal working document as well as the names of the company’s employees to a former customer.

Read More
NewsData protection09.09.2020

Control measures: duty to provide information and transparency

The Data Protection Agency recently completed five inspections focused on employers’ duty to provide information when using control measures towards employees.

Read More
NewsData protection27.08.2020

Access to work emails? Can a request to access data be too extensive?

Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.

Read More
NewsData protection05.11.2019

The Data Protection Agency changes its practice regarding images on the internet

The Data Protection Agency has changed its practice in relation to publication of images on the internet. In the future, the Agency will no longer distinguish between portrait photos and situational images.

Read More
NewsData protection14.08.2019

The European Data Protection Board takes stock

The European Data Protection Board (EDPB) has issued its annual report for 2018. The report provides information on the EDPB’s work in the first seven months after the GDPR entered into force and outlines the EDPB’s plans for the future.

Read More
NewsData protection25.05.2018

Proposed directive on protection for whistleblowers

The Commission has proposed new rules to strengthen the protection for whistleblowers reporting breaches of EU law.

Read More

Norrbom Vinding’s website uses first-party and third-party cookies to, among other things, compile statistics on the number of users and their use of the website. By using the website, you consent to the use of cookies. Read more here.