EU and Swedish data removal rights
GDPR gives a person enforceable rights against each controller that processes their personal data. It does not provide a universal command to make information disappear from the internet.
What the rights can do
An erasure request under Article 17 can require deletion where data is no longer needed, consent is withdrawn without another lawful basis, processing is unlawful, or the person objects to direct marketing. An objection to direct marketing is especially strong: the controller may no longer process the data for that purpose.
An access request can establish whether a controller has the person’s data, where it came from, why it is used, and sometimes who received it. The person can then request erasure, correction, restriction, or an objection with a record of the request and response.
Search-engine delisting is a different remedy. It can remove results shown for a name search, but leaves the underlying page accessible directly or through other searches. The search engine weighs privacy against the public interest in the information. GC and Others C-136 17 holds that search-engine processing is separate from and additional to the publisher’s processing. A name search can give strangers a structured profile of one person and surface a page they otherwise would not find.
Criminal-offence results receive a demanding test. IMY right to remove search results says they must be removed unless continued display for the person’s name is strictly necessary for freedom of information. The source being journalistic is relevant, but it does not automatically establish that name-linked search visibility is necessary. Criminal-offence data under GDPR Article 10 explains the separate handling issue for a concierge that receives the underlying case material.
An effective challenge should preserve the exact URL, the name query and result position, Google’s refusal and reasons, the current legal status, the person’s private or public role, the passage of time, and evidence of concrete consequences. For a page containing a home address, photograph, full judgment, or material about third parties, the request should explain why each additional disclosure is excessive or unnecessary for a name search.
TU and RE v Google C-460 20 adds two useful distinctions. A requester who supplies reasonably obtainable, relevant, and sufficient evidence of a manifestly inaccurate material claim does not first need a judgment against the publisher. Photographs displayed as name-search thumbnails also require their own balance.
Address-bearing pages can justify a parallel request under Google private-information removal policy. That policy covers addresses and certain doxxing combinations involving threats or harassment. The policy route and GDPR de-referencing should be submitted separately because they ask different questions and can produce different remedies.
Challenging name-search indexing of criminal coverage turns these rules into an evidence-led workflow for serious and recent criminal-information results.
Child sexual offences are not a categorical exception
A child sexual abuse or child sexual abuse material conviction strongly increases the public-interest weight, especially when the conviction is recent, the person is publicly prominent, or the information is relevant to a current child-facing role. Google says it considers whether continued display is needed to protect users from similar future crimes.
That does not create an automatic lifetime rule. The litigation behind GC and Others C-136 17 included a former school supervisor convicted of sexual touching of minors, sentenced to seven years’ imprisonment, given ten years of socio-judicial supervision, and banned from work involving children.
Google refused his request and the French regulator closed his complaint. In Conseil d’Etat 401258, the French court nevertheless held that continued name-linked access was not strictly necessary. It relied on his private-person status, the age of the facts and conviction, reintegration harm, and the direct and permanent access produced by name indexing. The accurate press source and the still-active supervision measure did not change the result.
The decision concerned contact sexual abuse, not a child sexual abuse material conviction. Its general Article 10 reasoning nevertheless demonstrates that EU law has no offence-label shortcut: seriousness is a major factor within the balance, not a rule eliminating the balance.
Swedish criminal-record policy points in the same structural direction. Official extracts for school and preschool work include all sexual offences and child-pornography offences, but access is tied to a child-facing suitability decision. The Police states that a conviction is only part of that assessment and does not itself prohibit employment. Prison entries are ordinarily removed from the official criminal record ten years after release, subject to rules that can extend retention to a maximum period.
Those register rules do not control Google’s GDPR balance. They show a policy alternative to universal public indexing: targeted safeguarding for roles where the risk is relevant, combined with time limits and restricted access.
Controllers normally must respond within one month. They may extend by up to two further months for a necessary complex request, but must explain that promptly. The person can complain to Integritetsskyddsmyndigheten (IMY) when a controller does not comply.
What the rights cannot promise
The right has important exceptions for freedom of expression and information, legal duties to retain records, public-interest or official tasks, and legal claims. Swedish authorities, healthcare providers, and businesses with accounting obligations can therefore often retain records even after a request.
Removal by one controller does not automatically remove independently obtained copies elsewhere. When a controller made data public, it must take reasonable steps to inform other controllers processing links, copies, or replications, but this is not a guarantee of complete internet deletion.
In Sweden, searchable people-information services with an utgivningsbevis have constitutional protection similar to traditional media. That has made removal from some people-search and judgment-search services substantially more difficult than a routine GDPR opt-out.
Legal Newsdesk Sweden C-199 24 now establishes that a publication certificate alone cannot displace GDPR for non-journalistic processing. Making public criminal judgments available to any paying user does not become journalism merely because the judgments are public or useful to journalists. The activity needs an actual journalistic purpose, editorial selection or policy, verification, and applicable ethical practice.
The judgment does not itself remove Lexbase material. The Swedish court must apply the test, and each controller must determine the effect on existing storage, search, publication, and erasure requests. There is no general exception for data acquired before the judgment, because continued storage and availability are ongoing processing.
IMY has current collective investigations into several such services, and says it is not handling individual complaints about the same questions while those investigations proceed.
Business implication
The viable offer is a Swedish and EU data-rights concierge, not a guarantee to erase a person from the internet. It can inventory exposure, identify the responsible controller, send and track tailored access, erasure, objection, correction, and search-engine-delisting requests, then prepare evidence and an IMY complaint or lawyer referral for denials.
The strongest initial cases are direct-marketing suppression, private-directory removal, account closure, and name-search delisting of stale, irrelevant, sensitive, or demonstrably inaccurate results. Criminal-information requests deserve separate handling: the operative question is not merely whether the source is accurate, but whether continuing to connect it to a private person’s name is strictly necessary at the time of the request. The service should clearly separate ordinary administrative requests from contested publication, public-record, and litigation matters.
Because a concierge handles identity documents, addresses, and often sensitive allegations, its own data minimization, authorization, security, retention, and processor/controller roles are core product requirements. The difficult Swedish utgivningsbevis cases are a specialized premium niche, but the changing legal position makes outcome guarantees inappropriate.