Article 17

Right to erasure (‘right to be forgotten’)

1.   The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:


the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;


the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;


the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);


the personal data have been unlawfully processed;


the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;


the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2.   Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3.   Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:


for exercising the right of freedom of expression and information;


for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;


for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);


for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or


for the establishment, exercise or defence of legal claims.

What does it mean?

The data is no longer needed for its original purpose

If you collected data for a specific project and it’s now complete, erasure might be required.

Consent is withdrawn

If processing relied solely on an individual’s consent, and they change their mind, you must erase the data unless another lawful basis exists.

Legitimate objection with no overriding reason

If a person objects to the processing of their data and you cannot provide a compelling reason to continue, you are required to delete their data.

Unlawful processing

If you find out you’ve been processing data without a legitimate legal basis, it needs to be deleted.

Legal obligation

You must follow EU or member state laws that necessitate erasure of certain data.

Data from children offering online services

Special protections are in place for children’s data, and erasure might be necessary in certain situations.

If you’ve published personal data and are required to erase it, you should take reasonable steps to inform other organisations processing that data about the erasure request. This procedure should involve requesting the removal of links, copies, or replications.

Yes, there are exceptions. Erasure is not required when:

  • It conflicts with the right to freedom of expression and information.
  • Processing is necessary to comply with a legal obligation or for a task in the public interest.
  • It’s required for public health reasons (as outlined in the GDPR).
  • It’s for archiving in the public interest, scientific, historical research, or statistical purposes (under Article 89(1)), and erasure would impact those objectives.
  • The data is essential for legal claims.

The GDPR require you to delete the personal data without undue delay after you have received a valid request.

Start by establishing clear internal procedures for handling erasure requests. These should include steps for verifying the individual’s identity, assessing whether deletion is legally required, and outlining the process for removing data across all relevant systems and backups.

Knowing where your organization stores personal data is essential, which is a good reason have a detailed records of processing activities as required by Article 30. This will help ensure complete deletion when requests are received.

Technical tools and automation can be a major asset, especially for organizations with complex processes and data storage. Consider software that helps locate and erase personal data.

Since backups are also important, develop a strategy for handling erasure requests in the context of your backups. This might involve tailored deletion of data from backups whenever feasible or regularly scheduling complete backup deletion after a reasonable timeframe.

If you share personal data with third parties, have a system to notify them of erasure requests and ensure their compliance.

Finally, remember to document all steps taken regarding erasure requests. This is important for demonstrating your GDPR compliance efforts and helps when handling any potential disputes.

Awareness Training

Ensure that your entire company is equipped with the necessary awareness training on the basics of GDPR and IT security.