Navegaci贸n
RGPD > Art铆culo聽17. Derecho de supresi贸n (芦el derecho al olvido禄)
Descargar PDF

Art铆culo聽17 RGPD. Derecho de supresi贸n (芦el derecho al olvido禄)

Article 17 GDPR. Right to erasure (鈥榬ight to be forgotten鈥)

1. El interesado tendr谩 derecho a obtener sin dilaci贸n indebida del responsable del tratamiento la supresi贸n de los datos personales que le conciernan, el cual estar谩 obligado a suprimir sin dilaci贸n indebida los datos personales cuando concurra alguna de las circunstancias siguientes:

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

Comentario de expertos
(EN) Author
Siarhei Varankevich
(EN) Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
FIP_IAPP
(EN) Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant

a) los datos personales ya no sean necesarios en relaci贸n con los fines para los que fueron recogidos o tratados de otro modo;

(a)聽the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) el interesado retire el consentimiento en que se basa el tratamiento de conformidad con el art铆culo聽6, apartado聽1, letra聽a), o el art铆culo聽9, apartado聽2, letra聽a), y este no se base en otro fundamento jur铆dico;

(b)聽the data subject withdraws consent on which the processing is based according to point聽(a) of Article 6(1), or point聽(a) of Article 9(2), and where there is no other legal ground for the processing;

Textos enlazados

c) el interesado se oponga al tratamiento con arreglo al art铆culo聽21, apartado聽1, y no prevalezcan otros motivos leg铆timos para el tratamiento, o el interesado se oponga al tratamiento con arreglo al art铆culo聽21, apartado聽2;

(c)聽the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

Textos enlazados

d) los datos personales hayan sido tratados il铆citamente;

(d)聽the personal data have been unlawfully processed;

e) los datos personales deban suprimirse para el cumplimiento de una obligaci贸n legal establecida en el Derecho de la Uni贸n o de los Estados miembros que se aplique al responsable del tratamiento;

(e)聽the personal data have to be erased for compliance with a legal obligation in Union or Member聽State law to which the controller is subject;

f) los datos personales se hayan obtenido en relaci贸n con la oferta de servicios de la sociedad de la informaci贸n mencionados en el art铆culo聽8, apartado聽1.

(f)聽the personal data have been collected in relation to the offer of information society services referred to in Article聽8(1).

Textos enlazados

2. Cuando haya hecho p煤blicos los datos personales y est茅 obligado, en virtud de lo dispuesto en el apartado聽1, a suprimir dichos datos, el responsable del tratamiento, teniendo en cuenta la tecnolog铆a disponible y el coste de su aplicaci贸n, adoptar谩 medidas razonables, incluidas medidas t茅cnicas, con miras a informar a los responsables que est茅n tratando los datos personales de la solicitud del interesado de supresi贸n de cualquier enlace a esos datos personales, o cualquier copia o r茅plica de los mismos.

2. Where the controller has made the personal data public and is obliged pursuant to paragraph聽1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.

Here is the relevant paragraph to article 17(2) GDPR:

8.3.1 Obligations to PII principals

Control

The organization should provide the customer with the means to comply with its obligations related to PII principals.

Implementation guidance

A PII controller’s obligations can be defined by legislation, by regulation and/or by contract.


para acceder al texto completo

3. Los apartados聽1 y聽2 no se aplicar谩n cuando el tratamiento sea necesario:

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 17(3) GDPR:

7.2.2 Identify lawful basis

Control

The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purposes.

Implementation guidance

Some jurisdictions require the organization to be able to demonstrate that the lawfulness of processing was duly established before the processing.


para acceder al texto completo

a) para ejercer el derecho a la libertad de expresi贸n e informaci贸n;

(a)聽for exercising the right of freedom of expression and information;

b) para el cumplimiento de una obligaci贸n legal que requiera el tratamiento de datos impuesta por el Derecho de la Uni贸n o de los Estados miembros que se aplique al responsable del tratamiento, o para el cumplimiento de una misi贸n realizada en inter茅s p煤blico o en el ejercicio de poderes p煤blicos conferidos al responsable;

(b)聽for compliance with a legal obligation which requires processing by Union or Member聽State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) por razones de inter茅s p煤blico en el 谩mbito de la salud p煤blica de conformidad con el art铆culo聽9, apartado聽2, letras聽h) e聽i), y apartado聽3;

(c)聽for reasons of public interest in the area of public health in accordance with points聽(h) and (i) of Article 9(2) as well as Article 9(3);

Textos enlazados

d) con fines de archivo en inter茅s p煤blico, fines de investigaci贸n cient铆fica o hist贸rica o fines estad铆sticos, de conformidad con el art铆culo聽89, apartado聽1, en la medida en que el derecho indicado en el apartado聽1 pudiera hacer imposible u obstaculizar gravemente el logro de los objetivos de dicho tratamiento,聽o

(d)聽for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph聽1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

Textos enlazados

e) para la formulaci贸n, el ejercicio o la defensa de reclamaciones.

(e)聽for the establishment, exercise or defence of legal claims.

Comentario de expertos ISO 27701 Considerandos Ley de Directrices y caso Deja un comentario
Comentario de expertos

(EN) The so-called 鈥right to be forgotten鈥 was hailed as a breakthrough with the adoption of the General Data Protection Regulation, even though it existed in a limited form before. Article 17 provides for a broader 鈥right to erasure鈥, to take into account the exact wording of the provision. European Union residents have a right to ask for the deletion of their personal data, and the organization that holds the data has a corresponding obligation to erase them 鈥without undue delay鈥 under a certain number of circumstances.


para acceder al texto completo

(EN) Author
Louis-Philippe Gratton
(EN) Louis-Philippe Gratton PhD, LLM
(EN) Privacy Expert

(EN)

Data Subject Request Letter Sample

Concern: Request to erase my personal data

Dear Madam, Dear Sir,

You have data concerning me that I am asking you to delete鈥


para acceder al texto completo

ISO 27701

(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.

Here is the relevant paragraph to article 17 GDPR:

7.3.6 Access, correction and/or erasure

Control

The organization should implement policies, procedures and/or mechanisms to meet their obligations to PII principals to access, correct and/or erase their PII.

Implementation guidance

The organization should implement policies, procedures and/or mechanisms for enabling PII principals to obtain access to, correct and erase of their PII, if requested and without undue delay.


para acceder al texto completo

Considerandos

(65) Los interesados deben tener derecho a que se rectifiquen los datos personales que le conciernen y un 芦derecho al olvido禄 si la retenci贸n de tales datos infringe el presente Reglamento o el Derecho de la Uni贸n o de los Estados miembros aplicable al responsable del tratamiento. En particular, los interesados deben tener derecho a que sus datos personales se supriman y dejen de tratarse si ya no son necesarios para los fines para los que fueron recogidos o tratados de otro modo, si los interesados han retirado su consentimiento para el tratamiento o se oponen al tratamiento de datos personales que les conciernen, o si el tratamiento de sus datos personales incumple de otro modo el presente Reglamento. Este derecho es pertinente en particular si el interesado dio su consentimiento siendo ni帽o y no se es plenamente consciente de los riesgos que implica el tratamiento, y m谩s tarde quiere suprimir tales datos personales, especialmente en internet. El interesado debe poder ejercer este derecho aunque ya no sea un ni帽o. Sin embargo, la retenci贸n ulterior de los datos personales debe ser l铆cita cuando sea necesaria para el ejercicio de la libertad de expresi贸n e informaci贸n, para el cumplimiento de una obligaci贸n legal, para el cumplimiento de una misi贸n realizada en inter茅s p煤blico o en el ejercicio de poderes p煤blicos conferidos al responsable del tratamiento, por razones de inter茅s p煤blico en el 谩mbito de la salud p煤blica, con fines de archivo en inter茅s p煤blico, fines de investigaci贸n cient铆fica o hist贸rica o fines estad铆sticos, o para la formulaci贸n, el ejercicio o la defensa de reclamaciones.

(65) A data subject should have the right to have personal data concerning him or her rectified and a 鈥榬ight to be forgotten鈥 where the retention of such data infringes this Regulation or Union or Member聽State law to which the controller is subject. In particular, a data subject should have the right to have his or her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, where a data subject has withdrawn his or her consent or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation. That right is relevant in particular where the data subject has given his or her consent as a child and is not fully aware of the risks involved by the processing, and later wants to remove such personal data, especially on the internet. The data subject should be able to exercise that right notwithstanding the fact that he or she is no longer a child. However, the further retention of the personal data should be lawful where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims.

(66) A fin de reforzar el 芦derecho al olvido禄 en el entorno en l铆nea, el derecho de supresi贸n debe ampliarse de tal forma que el responsable del tratamiento que haya hecho p煤blicos datos personales est茅 obligado a indicar a los responsables del tratamiento que est茅n tratando tales datos personales que supriman todo enlace a ellos, o las copias o r茅plicas de tales datos. Al proceder as铆, dicho responsable debe tomar medidas razonables, teniendo en cuenta la tecnolog铆a y los medios a su disposici贸n, incluidas las medidas t茅cnicas, para informar de la solicitud del interesado a los responsables que est茅n tratando los datos personales.

(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject's request.

Ley de Directrices y caso Deja un comentario
[js-disqus]