Don’t forget the right to be forgotten

The Data Protection Agency recently issued serious criticism of an employer who did not respond adequately after receiving a deletion request relating to video content from a former employee.

Norrbomvinding 10237

A data controller must, without undue delay, delete the personal data of a data subject if the processing of the data is based on consent and that consent is withdrawn, unless the data controller has another processing basis to support the processing. In this case, the Data Protection Agency had to decide whether an employer had fulfilled its obligations in this regard.

The case involved a former employee of a consulting firm who, during his employment, had given consent for the consulting firm to publish photos and videos of him for use in promotional material on the company's website, leaflets, newsletters and other external material.

During the employee’s employment, a number of advertising videos were recorded, which included the employee in question, and posted on the consulting firm's website and YouTube channel. Following the termination of the employment relationship, the employee asked the consulting firm to remove a video of him from YouTube. The firm confirmed the same day that it would cut him out of all commercials. Around two weeks later, the firm confirmed that he had now been cut out of the YouTube commercial, stating that no further changes to the video material would be made as he had consented to the firm’s use of the videos.

When the former employee realised that he continued to appear in the firm’s marketing material, he complained to the Agency.

An unnecessarily slow deletion process
Initially, the Agency noted that the company had based its processing of the personal data on the employee’s consent and that this consent had to be considered withdrawn at the request for deletion.

The Agency noted that after three months the employee was still appearing in a video on the consulting firm’s website as well as in a video on the company’s YouTube channel. The Agency therefore expressed serious criticism for the consulting firm’s failure to fulfil its obligation to delete the videos in which the employee appeared without undue delay.

Norrbom Vinding notes

  • that the decision shows that employers must carefully consider whether a request for deletion constitutes a withdrawal of consent, as the starting point is that any personal data processed on the basis of the consent must be deleted without undue delay, unless the employer (already) has another lawful basis for the processing; and
  • that the specific situation also illustrates the general weakness of basing processing on consent, since consent is relatively easy for the data subject to withdraw; but
  • that it is stated, however, in the Agency's guidance on data protection in the employment context that processing of images, including videos, of employees will often be possible only on the basis of consent.

The content of the above is not, and should not be a substitute for legal advice.

More about the subject