The Italian Data Protection Authority, known as the Garante per la protezione dei dati personali (Guarantor for the protection of personal data), issued its decision on Wikipedia's processing of personal information under the General Data Protection Regulation (GDPR).
The decision comes after a formal complaint was launched against Wikipedia by an individual whose request to delete an article had been rejected by the website. Garante's decision represents a significant development in how the GDPR is enforced on online platforms, particularly those not based in the EU but targeting European users and processing their data.
Read on to learn more about the case, the Garante's decision, and how your organization can avoid a similar situation.
A Brief Background
The case began after an individual formally lodged a complaint with the Garante. In their report, the individual sought the deletion of a biographical article on Wikipedia that contained details related to a judicial matter from 2017. Per the individual, the article contained several personal details and the continued availability of those details on Wikipedia violated their privacy rights.
The individual had exercised their right to request the erasure of the article. However, the Wikimedia Foundation, which owns Wikipedia, rejected the request, stating that Wikipedia was not subject to the GDPR as it did not explicitly offer any services to EU users and merely functions as a "neutral host" for content rather than providing or creating content on its own.
The Garante's Decision
In June 2024, Garante published its decision and clarified that Wikipedia is indeed subject to the GDPR as its processing activities fall under the GDPR's scope because Wikipedia provides an extensive information service on a wide range of topics and actively targets the European market. This is shown through its consistent efforts to meet quality standards, monitor content, and create site versions tailored to users in specific EU Member States. These actions fulfill the criterion of intentionally offering services to the EU, which allows the GDPR to be applied to a data controller based in a third country without an establishment in the EU.
After clarifying the GDPR's applicability, the authority rejected the individual’s request for deletion. It explained that processing personal data for journalistic purposes is lawful, even without consent, as long as it respects individuals' rights, dignity, and the principle of essential information. Similarly, keeping the article in the online encyclopedia archive is also lawful, as archives of websites and newspapers, including printed ones, are important for preserving historical records of events.
The Garante ordered the article to be de-indexed stating that it was no longer in the public interest to keep it accessible outside the archive as it relates to outdated criminal conviction.
How Securiti Can Help
Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. Numerous reputable global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance needs.
The Data Command Center has several modules and solutions designed to ensure efficient and effective compliance with all major obligations an organization may be subject to under the GDPR. These include consent management, breach management, privacy policy management, and vendor risk assessment, among others.
Request a demo today to learn more about how Securiti can help your organization comply with the GDPR and other major data privacy-related regulations worldwide.
