Blog details

Right to be forgotten: how unfit data deletion protocol resulted in a fine from Dutch DPA

Right to be forgotten: how unfit data deletion protocol resulted in a fine from Dutch DPA

A company was fined by the Dutch Data Protection Agency for failure to delete data after receiving such requests, thereby violating individuals’ right to be forgotten under the GDPR.


The Dutch Data Protection Authority (DPA) has imposed a fine of 6,000 euros on a recruitment company. The company was fined for failing to delete the data of three different people after they had requested it. The company in question, is one with which job seekers can register if they are interested in receiving intermediation for placement with companies which are hiring. Under the General Data Protection Regulation (GDPR), people can request that their personal data be deleted, for example if they no longer need the service. The recruitment company received a number of data erasure requests, however, for a few people, their names, home addresses, e-mail addresses, telephone numbers, dates of birth and CVs containing information about education and work experience remained in the company database well beyond the company’s GDPR deadline to comply with the data deletion request. As a result, the company continued to contact these people about vacancies. After an investigation by the Dutch DPA, it turned out that the recruitment company did have protocol in place for the facilitation of requests to delete data. However, in practice things went wrong a number of times. In retrospect, the company has examined its internal policy and adjusted a number of points in order to ameliorate this issue. The Dutch DPA took this into account when determining the amount of the fine. 


Data minimisation is an important principle, which will aid organisations in maintaining compliance with regard to their collection and handling of individuals’ data. 


It is imperative that organisations are vigilant about collecting and storing only the necessary information. Companies and organisations should do their best to adhere to data minimization practices to protect individuals’ privacy and comply with the GDPR, By minimising the amount of personal data gathered to only what is absolutely necessary, and only for as long as it is necessary to keep, companies can reduce the risk of potential data breaches and unauthorised access. This proactive approach not only safeguards the sensitive information of individuals but also fosters trust and credibility with customers. In addition, ensuring that personal data is only retained for valid reasons and promptly removed when no longer needed demonstrates a commitment to ethical data handling practices. By upholding the principles of data minimisation, organisations can enhance their data protection strategies and avoid legal and reputational risks associated with improper data management. Ultimately, the responsible and transparent handling of personal data is crucial for maintaining secure business practices in an increasingly data-driven world.


The GDPR outlines the circumstances under which data deletion requests must be upheld,. 


Recitals 65 and 66 and Article 17 of the GDPR include the right to be forgotten. The GDPR specifies that individuals have the right to request the removal of their personal data from the controller without unnecessary delay, and the controller must comply without undue delay if certain conditions are met. The term “undue delay” is not defined in the GDPR, but the request should be fulfilled in any case within one month. This period can only be extended by two further months under very limited circumstances taking into account the complexity and number of requests. Additionally, reasonable measures must be taken to confirm that the individual requesting erasure is indeed the data subject. The GDPR stipulates that individuals can exercise their right to be forgotten once the personal data is no longer necessary for the purpose an organisation originally collected or processed it, if the company’s basis for processing the data is the individual’s consent and this consent has been withdrawn, among other reasons. That said, there are situations where an organisation’s right to process someone’s data might override their right to be forgotten. The GDPR explains in detail under what circumstances a company may or may not be liable to adhere to a deletion request from an individual. Organisations should facilitate as much as possible the exercise of the right to be forgotten and other rights for the data subjects. 

Elevate your data protection standards with Aphaia. Schedule a consultation, and embark on a journey toward strengthening security, GDPR compliance, and the peace of mind that comes with knowing your data protection is in expert hands. Contact Aphaia today.

Prev post
Data Protection and AI chatbots: Advice from the ICO
June 6, 2024
Next post
Aphaia delivers a presentation on the new EU AI Act and the GDPR on 42Workspace in Rotterdam
June 20, 2024