The Data Protection Agency recently issued serious criticism of an employer who did not respond adequately after receiving a deletion request relating to video content from a former employee.
A data controller must, without undue delay, delete the personal data of a data subject if the processing of the data is based on consent and that consent is withdrawn, unless the data controller has another processing basis to support the processing. In this case, the Data Protection Agency had to decide whether an employer had fulfilled its obligations in this regard.
The case involved a former employee of a consulting firm who, during his employment, had given consent for the consulting firm to publish photos and videos of him for use in promotional material on the company's website, leaflets, newsletters and other external material.
During the employee’s employment, a number of advertising videos were recorded, which included the employee in question, and posted on the consulting firm's website and YouTube channel. Following the termination of the employment relationship, the employee asked the consulting firm to remove a video of him from YouTube. The firm confirmed the same day that it would cut him out of all commercials. Around two weeks later, the firm confirmed that he had now been cut out of the YouTube commercial, stating that no further changes to the video material would be made as he had consented to the firm’s use of the videos.
When the former employee realised that he continued to appear in the firm’s marketing material, he complained to the Agency.
An unnecessarily slow deletion process
Initially, the Agency noted that the company had based its processing of the personal data on the employee’s consent and that this consent had to be considered withdrawn at the request for deletion.
The Agency noted that after three months the employee was still appearing in a video on the consulting firm’s website as well as in a video on the company’s YouTube channel. The Agency therefore expressed serious criticism for the consulting firm’s failure to fulfil its obligation to delete the videos in which the employee appeared without undue delay.
The content of the above is not, and should not be a substitute for legal advice.
Must the Data Protection Agency be notified in case of an “internal” personal data breach?
The Data Protection Agency has expressed criticism of a municipality, inter alia, because the municipality had failed to notify a personal data breach to the Agency or communicate the breach to the affected employee.
Access to work emails? Can a request to access data be too extensive?
Under the GDPR, a data controller must provide a data subject with access to all personal data which the data controller processes about him or her, if the data subject requests it. However, the data controller may refuse to act on such a request if, for example, the scope of the request for access is excessive.