March

A stewardess on board the Endless Summer yacht, docked at Universal Marine Center in Fort Lauderdale in 2015, was awarded nearly $70.6 million in damages after she sued the yacht 's owner following an incident involving the yacht's deckhand.

Rafael Dowgwillowicz-Nowicki was arrested and charged with four counts of sexual battery after the woman reported he entered her cabin drunk and forced her to have sex with him, threatening to kill her if she did not go along with it.

The lawsuit alleged that the yacht's owner failed to provide proper security for the victim.

A driver in Milton Keynes, when stopped by Thames Valley Police, surprised the officer by handing over a driving licence displaying both the details and photograph of Homer Simpson.  When the officer stopped a driver in Buckinghamshire, they are handed a licence with the cartoon character's 'address' and picture.  The name was H. Simpson, and the address was 28, Springfield Way, USA.

Thames Valley Police said in a tweet: "Earlier this week, PC Phillips stopped a car in Milton Keynes.When she tried to identify the driver's ID, she found the below... 

(Image courtesy of SkyNews)

Replying to the tweet, Mark Chunder wrote: "Clearly a fake. Homer lives at 742 Evergreen Terrace."

The police confirmed that "the driver's car was seized and he was reported for driving with no insurance and driving without a proper licence".

Under GDPR, if a right to be forgotten request is received by a company, must it be honoured?

Not necessarily according to Bryan, Cave,Leighton and Pasiner Law Firm.  They state:

GDPR indicates that people have a “right to be forgotten” in some situations, but that right is not absolute.  Rather it only exists in the following six situations – many of which do not apply to personal data collected as part of an employment relationship. 

1. Companies must delete data upon request, if data is no longer necessary. If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.¹  If an employee, or a former employee, makes a right to be forgotten request therefore a company should begin by asking (1) why was the data collected in the first place, and (2) is the data needed any longer for that purpose. 
2. Companies must delete data upon request, if data was processed based solely on consent. The GDPR allows companies to process data in six different types of situations.² While one of those situations is where a person has “given consent” to the processing, the Article 29 Working Party – an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority – has taken the position that “for the majority of . . . data processing at work, the legal basis cannot and should not be the consent of the employees” because of the perceived unequal bargaining position between an employer and an employee.³ As consent is typically not the sole basis for which an employer processes data, an employer typically is not required to honor a right to be forgotten request simply because an employee purports to be withdrawing his or her consent.
3. Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a company can process data is to further the company’s “legitimate interest.”  When processing is based upon a company’s legitimate interest, an employee has a right to request deletion unless the employer’s or a third party’s interest is demonstrably “overriding.”⁴  In the employment context most processing is not based upon the controller’s legitimate interest, but rather the performance of the employer’s obligations to the employee or legal requirements to collect information.  That said, if a company did collect information for its legitimate interest (g., shirt size of employees in order to provide jerseys for an office softball team), the data subjects request that the information be deleted would typically not be overridden by the company’s interest in the information.
4. Companies must delete data upon request if data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful.⁵  Assuming that an employer is lawfully processing data relating to an employee, or former employee, this situation may have little applicability.
5. Companies must delete data upon request if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”⁶  If an employer is required to erase data pursuant to another member state law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
6. Companies must delete data upon request if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16.⁷  Even if your organization employs children under the age of 16, it is unlikely that the situation would be characterized as the offering of an information society service.  As a result, this situation does not apply to most employers.

Even if one of the situations described above is present, a company does not always need to honor a right to be forgotten request.  For example, a company can choose to decline such a request if honoring it would interfere with a legal obligation imposed on the company to maintain employee data, or if an employee’s data is needed to establish, exercise, or defend a legal claim.⁸

 

GDPR indicates that in some situations the request must be honoured, but not all. If consent was specifically given for the collection of data, normally this data should be deleted when no longer needed. This article discusses the various scenarios.