Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The Right to be forgotten - Practical perspective


The right to be forgotten under article 17 of GDPR brought up conflict between the right of an individual to object to processing his or her personal data by data controllers and the right of the society to be well informed through the media, having direct impact on the freedom of expression.

In Bulgaria this issue was discussed during the presidential elections in 2016. Some of the presidential candidates were formal agents of the intelligence structures, which were functioning during the communist regime. A number of online media included the information in their articles, reminding the public of the candidates’ past.

In such a hypothesis, as if the GDPR was already in full force, it would be possible to claim that some of the candidates were entitled to exercise their right to be forgotten under article 17 of the GDPR. Such request would have resulted in deleting the published information as it has achieved its purposes to inform the public. There are two possibilities for addressees of such a request – to address multiple specific websites, or to address the search engines to delete the information, that appears in search results. From business perspective addressing a search engine would mean that articles from small online media would not be accessible through search engines making them difficult to find by the majority of the public.

Taking a look from a different angle would show that from legal perspective the right to be forgotten under article 17, paragraph 1 is opposed to the exclusions introduced in paragraph 2, as per which the right to be forgotten shall not prevail in case the data is used for the purposes of freedom of expression and information. In this case it would be the addressee (e.g. corresponding media or search engine) who will decide upon whether the exclusions shall apply or the right to be forgotten shall take effect.

When resolving on the right to be forgotten it would not be uncommon, if in order to stay on the safe side and limit possibility for breach of data processing rules, the business owners to decide in favour of the data subject.


Article provided by:

  • Mitko Karushkov, Partner at Kambourov & Partners, Bulgaria
  • Mario Arabistanov, Associate at Kambourov & Partners, Bulgaria


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

CPC project office: Dr. Tobias Höllwarth,



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.