Guidelines 05/2019 on criteria of the Right to be Forgotten in search engines

1.6 Ground 6:   The Right to request delisting when the personal data have been collected in relation to the offer of information society services (ISS) to a child (Article 17.1.f)

39. According to Article 17.1.f GDPR, a data subject may request a search engine provider to delist one or more results if personal data have been collected in relation to the offer of ISS to a child referred to in Article 8.1 GDPR.

40. The Article covers the direct provision of ISS and no other types of processing.The GDPR does not define ISS; rather, it refers to existing definitions in EU law. There are some difficulties in interpretation as Recital 18 of Directive 2000/31/CE of the European Parliament and of the Council of June 8, 2000 provides a definition both broad and ambiguous of the notion of “the direct provision of information society services”. It mainly indicates that these services “span a wide range of economic activities which take place on-line”, but specifies that they are not restricted to “services giving rise to on-line contracting but also, inso far as they represent an economic activity, extend to services which are not remunerated by those who receive them, such as those offering on-line information or commercial communications, or those providing tools allowing for search, access and retrieval of data”, outlining the criteria of economic activity.

41. It stems from the above that search engine providers’ activities are likely to fall within the scope of direct provision of ISS. Nonetheless, search engine providers do not question whether the personal data they are indexing concern or not a child. Yet, in view of their specific responsibilities, and subject to the application of Article 17.3 GDPR, they would have to delist a content relating to a child pursuant to Article 17.1.c GDPR, acknowledging that being a child is avalid “ground relating to a particularsituation” (Article 21 GDPR) and that “children merit specific protection with regard to their personaldata” (Recital 38 GDPR). In such case, the context of the collection of personal data by the original controller must be considered. In particular, the date of the beginning of the processing by the original website must be taken into account when a data subject requests the delisting of a content.