March 27, 2017
On 9 March 2017, the Court of Justice of the EU ruled that EU citizens cannot demand that personal data concerning them be removed from a company’s register thus imposing limits on the “right to be forgotten” ruling.
The case concerned an Italian businessman who took legal action against an Italian chamber of commerce because its records showed that he had managed a company which went bankrupt over ten years earlier and he felt that this was damaging to his reputation.
The court had already ruled in 2014 that internet search engines must remove information deemed "inaccurate, inadequate, irrelevant or excessive" for the purposes of data processing, or face a fine.
The ruling led to the European Union’s General Data Protection Regulation (GDPR) which will apply from 25 May 2018 and provides EU citizens with the right to be forgotten, namely the right to have personal data concerning them removed when there was no valid reason for retaining it.
The recent ruling has imposed limits on this right. The court ruled that the right to be forgotten did not apply in relation to personal data included on company registers where the need to protect the interests of third parties and ensure legal certainty took precedence over an individual’s right to be forgotten.
The Court did not however exclude the possibility that access to personal data be restricted in certain cases. However, as there are many reasons why access to data on company registers may be necessary even after the company has ceased trading as well as different limitation periods applicable to such records in the different member states, the Court deemed that it was not possible to specify a maximum retention period.
It remains to be seen how this question will evolve in the future.