Earlier this month, in Google Spain, S.L. v. Abogado del Estado, the Spanish Supreme Court decided that Spanish residents must address requests based on the right to be forgotten to Google, Inc. in the United States, and not to its subsidiary Google Spain, S.L. This decision follows the European Court of Justice’s May 2014 decision establishing the “right to be forgotten,” which allows EU residents to request that search engines delist or block search results linking to their personal information. The Spanish Supreme Court, however, found that Google Spain is not responsible for complying with these requests because it is not itself a data controller, as it does not decide how the search engine processes personal data. Rather, Google, Inc. is the data controller, and right-to-be-forgotten requests need to be directed to it rather than its Spanish subsidiary.
- How-to guide How-to guide: How to comply with data processing principles under the GDPR (EU) Recently updated
- Checklist Checklist: Making an international transfer of personal data under the GDPR (EU) Recently updated
- How-to guide How-to guide: How to transfer personal data lawfully outside the European Economic Area (EU) Recently updated