Google LLC – Complaint Upheld (Greece, 2023)

A data subject filed a complaint with the Greek DPA (HDPA) on the grounds that Google LLC (the controller) did not satisfy his right to erasure, namely had not erased, as requested, 309 links with results relating to him, appearing on the Google search engine when searched by his name. Following subsequent communications of the HDPA and the parties involved, as well the HDPA’s own investigation, it was determined that the HDPA had yet to decide on 9 links for which the controller claimed that the data subject’s right to erasure was unfounded, and on further 4 links which were revealed after HDPA’s investigation. The HDPA ruled that the controller must comply with the right to be forgotten under Article 17 GDPR unless it can prove compelling legal grounds to retain the data and ordered the controller (per Art. 58(2) GDPR) to delete 9 links mentioned in the complaint and to confirm that links 1, 3, and 6–9 do not appear in Google search results when the data subject’s full name is used. The controller informed the HDPA that they are the respective controller for any data collected by the Google search engine. As the controller has no main EU establishment, the “one-stop-shop” mechanism under Articles 56 and 60 GDPR does not apply, making the HDPA competent under Articles 2(1), 3(2), and 55(1) GDPR. The HDPA also held that while not a public figure, the data subject’s professional activity places them in a role of public interest, as executives of significant companies may attract public interest.