Home » dreptul de opozitie exercitat de catre persoana vizata
 Română | English | Francais

Press Release


The right of opposition was exercised with regard to the owner of a website. A mutatis mutandis application to Case C‑131/12 Google Spain SL, Google Inc. / Agencia de Protección de Datos (AEPD), Mario Costeja González.


A private company takes over on its own website, totally and automatically, via an information programme, all of the information posted on the just.ro website as regards the cases pending before the courts of law and this information was updated every few hours, in accordance to the modifications made on the initial website.

This information is stored in automated filing system and made available to the public. The company offers subscriptions based on a fee for the service titled “my cases”.

Within a specific section of the website called “Court cases” direct searches may be carried out on specific criteria such as the name and surname and those searches reveal information on the cases pending before courts of law and which relate to the person in question. This information also appears as a result of searches, based on the name and surname, on the Google search engine and indicates a link to the data controller’s website, which means that the information is also indexed on this search engine.

With regard to the provisions of Law no. 677/2001 and in view of the activity that the company decided o carry out, the operations of taking over, recording, organisation, storage and disclosure of the data from the files pending before courts of law all represent personal data processing operations, carried out within an automated filing system.

Therefore the company in question is a personal data controller and, implicitly, is under the obligations imposed by law in respect of the legality of the processing of personal data and observing the data subjects’ rights.

We underline the fact that it is of no relevance the way in which the company obtained the data from public sources or whether these were already made public on the internet, as the company is not exempted from the obligation to observe the provisions of Law no. 677/2001, including those that guarantee the data subjects’ right of opposition.

Thus, a person exercised his/her right of opposition and requested the data controller to delete his/her data (name and surname) from the website, justifying his/her request in that he/she, as a natural person, has the right to intimacy, confidentiality and discretion with regard to his/her personal biographic data and does not want to make public on the website episodes of his/her personal life, even more so in view of the fact that the information will also be available in Romania, as well as outside the country through a simple search on a search engine.

Quite apart from the fact that the data controller didn’t respond to the data subject’s request within the deadline imposed by law, the request didn’t receive a favourable solution as the company motivated that it provides legal services with a strictly informative character and the information is collected from sources made available to the public by public authorities. The company mentioned that it cannot delete the data in question as it exercised no control over the personal data published on the websites of other institutions, even though in its turn it takes over and processes that same data.

Following this refusal, the data subject filed a complaint to the National Supervisory Authority for Personal Data Processing. The supervisory authority considered the complaint to be justified and that the data controller should have observed the exercise of the right of opposition, namely that it should have ensured the means necessary in order for that right to be exercised, reasons for which the data controller was sanctioned with a fine.

According to the provisions of article 15 of Law no. 677/2001, as modified and amended, the right of opposition entails that the data subject has the right to oppose at any moment to the processing of his/her personal data for grounded and legitimate reasons, except for the cases in which there are legal provisions to the contrary.

Such a request is submitted to the data controller in writing, signed and dated, and he/she in his/her turn is under the obligation to inform within 15 days from receiving the request of the measures he/she has taken.

In this particular case, within the relations between the data subject and the data controller there was never a mention of any legal provision that would oblige the data controller to record and keep the personal data in the context of providing its services, namely posting information collected from public sources on its website and making them available to those interested.

Processing the personal data for this purpose does not represent a legal obligation of a private company (as opposed to that of the courts of law), which established itself the purpose and means of that data processing.

As that exemption is not met, the data subject mentioned a series of reasons for which he/she wished to have the data deleted. As it wasn’t ascertained that the person is question is a public person or one that occupies a public function and the data simply referred to his/her files pending before a court of law which mustn’t satisfy the public’s over ringing interest, his/her request to delete the data cannot be refused reasoning that he/she didn’t demonstrate his/her particular situation.

On the other hand, the data controller didn’t provide any justification to the fact that its legitimate interest (which is a purely commercial one) over rides the data subject’s fundamental right to private life, and thus justify a limitation of that right.

Therefore a balance must be established between the rights granted to persona as regards the protection of personal data on one hand and, on the other, the legitimate rights of other parties, within the processing of the data subjects’ personal data.

In view of the means used to process the personal data – automated filing system, the data controller, as early as the creation of the filing system, must adopt the necessary measures to ensure the technical possibility to delete the data referring to a natural person, upon that person’s request.

To claim that you cannot ensure the possibility for data subjects to exercise their rights on the reason that the system used by the data controller doesn’t allow for such modifications to be carried out and the only solution to solve this type of problem is to eliminate those data from the website of the courts of law leads to a failure to observe the obligations provided by law to that private company as a data controller and voids of any content the right of opposition provided by Law no. 677/2001.

Article 5 paragraph (2) letter f) of Law no. 677/2001 allows for the personal data to be processed (and therefore also collected) without the data subject’s consent in the situations in which the processing refers to data obtained from documents publicly accessible, according to the law. These provisions however do not infringe on those of articles 12-17 of Law no. 677/2001, which guarantee the rights of data subjects, nor do they absolve the data controller of the obligation to observe these rights, subsequent to obtaining from public sources the documents that contain the personal data.

In its Decision of the 13 May 2014 in Case C-131/12, the Court of Justice of the European Union stated the prevalence of the right of opposition over the right to have access to information, as well as over the economic interests of the data controller which provides the information in question.

The Supervisory Authority considered that the motivation provided by the Court of Justice applies mutatis mutandis to this case in question.

The Bucharest Court of Appeal stated that both of the requirements provided for in article 15 of Law no. 677/2001 are met, in the sense that reasons invoked by the data subject in support of his/her right of opposition are justified and there are no legal provisions that would allow for this right not to be observed.

Moreover, the court of appeal admitted that the reasoning of the Court of Justice in the Case mentioned above may be applied mutatis mutandis in the situation in which the natural person in question contacts directly the owner of the web site on which his/her personal data are posted, following a simple search on the Google search engine.

The Court also showed that the data controller didn’t take any measures to limit excessive publication invoking the fact that the date were already made public as they appeared on the web site of the courts of law.

At the same time, the court of appeal noted that claiming the fact that in virtue of the principle of publicity of the hearings of courts of law the data controller is not under the obligation to delete personal data upon request of the data subject would equate to distorting that principle, one that manifest itself in front of the court of law, not also in the virtual environment. If one would accept such an interpretation of that principle, it would mean that any person would be allowed to make audio or video recordings of the hearings before courts of law and even offer those recordings to the public, in the virtual environment of the internet.

De definitive decision of the Bucharest Court of Appeal is extremely important as it confirms the Supervisory Authority’s point of view as regards the grounded legitimate interests which may be invoked by a data subject in successfully exercising his/her right of opposition, as well as the way in which web site owners must observe the principles referring to the protection of personal data, as provided by Law no. 677/2001 and those stated within the jurisprudence of the Court of Justice in this field.

In conclusion, the Supervisory Authority draws attention to the fact that an entity’s activities consisting in taking over documents that contain personal data from public sources and processing those data within their own filing systems falls under the scope of the legal framework on personal data protection. Once these personal data are obtained observing the legal provisions in this field, that entity is considered a personal data controller and will have all the obligations established by the legislation in the field of personal data protection.

We would like to mention that the provisions of articles 14 and 15 of Law no. 677/2001 guarantee to all persons the right of intervention and right of opposition to the processing of their personal data.

In this context, if the person in question believes that his/her rights have been infringed, he/she may file a complaint or a notice to the Supervisory Authority. To this end, information is available on our institution’s web site – the section titled “Complaints and Notices”.


Legal and Communication Dept.