Privacy Tech EU
Data Rights 28 April 2026 7 min read

The Right to Be Forgotten Under GDPR — Privacy Tech EU

The right to erasure — commonly called the “right to be forgotten” — is one of the most discussed provisions of GDPR. Enshrined in Article 17, it gives individuals the ability to request that organisations delete their personal data in certain circumstances.

Understanding when this right applies, how to exercise it, and when organisations can lawfully refuse is essential for both individuals and data controllers.

What Is the Right to Erasure?

Article 17 GDPR grants individuals the right to obtain the deletion of their personal data without undue delay when certain grounds apply. The right is not absolute — it is subject to specific conditions and exceptions.

The European Court of Justice established the concept in the 2014 Google Spain case, where the Court held that search engines must, in certain circumstances, remove links to outdated or irrelevant personal information about individuals from search results.

GDPR formalised and expanded this principle. It now applies across all data controllers, not only search engines.

When the Right to Erasure Applies

A data subject can request erasure when one or more of the following conditions are met under Article 17(1):

  1. The data is no longer necessary for the purpose for which it was collected or processed
  2. Consent is withdrawn and there is no other lawful basis for processing
  3. The individual objects under Article 21 and the controller has no overriding legitimate grounds
  4. The data has been unlawfully processed — i.e. processed without a valid legal basis
  5. Erasure is required to comply with a legal obligation under EU or member state law
  6. The data was collected in relation to the offer of information society services to a child

If none of these conditions apply, the controller is not obligated to erase the data.

How to Submit an Erasure Request

There is no prescribed format for erasure requests under GDPR. An individual can submit a request verbally or in writing — by email, letter or through an online form if the organisation provides one.

To make an effective request:

  1. Identify yourself clearly — provide enough information for the organisation to locate your records
  2. State that you are making an erasure request under Article 17 GDPR
  3. Specify what data you want deleted — be as specific as possible (e.g. “all data relating to my customer account”)
  4. Explain which grounds apply — e.g. “I have withdrawn my consent” or “the data is no longer necessary”

You do not need to use legal language. A clear email stating your request and the reason is sufficient.

Many organisations now provide online privacy portals where data subject rights requests can be submitted and tracked. Check the organisation’s privacy notice for details.

How Long Does an Organisation Have to Respond?

Under GDPR, a data controller must respond to an erasure request without undue delay, and in any case within one calendar month of receiving the request.

If the request is complex or if the individual has submitted multiple requests, the controller may extend this period by a further two months — but must notify the individual of the extension and the reasons for it within the initial one-month period.

Controllers must always confirm receipt and provide a response — even if they are refusing the request. A response of “we received your request and are processing it” with no further update does not satisfy the obligation.

When Organisations Can Refuse

The right to erasure is not absolute. Article 17(3) sets out circumstances where controllers are not required to comply:

  • Freedom of expression and information — e.g. journalism, academic research, or matters of genuine public interest
  • Legal obligations — the data must be retained to comply with a legal requirement (e.g. financial records required under tax law)
  • Public health tasks — processing in the public interest for health purposes
  • Scientific, historical or statistical research — where erasure would seriously impair the research purpose
  • Legal claims — the data is necessary for the establishment, exercise or defence of legal claims

If a controller refuses, it must explain why in writing and inform the individual of their right to complain to their national supervisory authority.

Erasure in the Context of Search Results

The Google Spain ruling established that search engines must consider requests to remove links to pages containing personal data that is “inaccurate, inadequate, irrelevant or excessive” in relation to the individual’s right to privacy.

Submitting a removal request to a search engine is a separate process from submitting an erasure request to a website directly. Removing a link from search results does not delete the underlying data on the original website.

Google, Bing and other major search engines provide online forms for submitting removal requests under EU law. These requests are evaluated individually — removal is not guaranteed and is subject to balancing against the public interest in the information remaining accessible.

What Happens When a Request Is Accepted?

When a controller accepts an erasure request, it must:

  1. Delete or anonymise the data without undue delay
  2. Inform any third parties to whom the data was disclosed, directing them to erase links to, copies of, or replications of the personal data (Article 17(2)) — unless this proves impossible or involves disproportionate effort
  3. If the data was made public, take reasonable steps to inform other controllers processing the data that erasure has been requested

In practice, truly complete erasure across all third-party systems is technically complex, and data controllers must take reasonable rather than perfect steps.

Erasure vs. Restriction

Sometimes individuals want to stop a controller using their data without requiring permanent deletion — for example, while a dispute is being resolved. This is distinct from erasure and falls under the right to restriction of processing (Article 18 GDPR).

Restriction means the controller retains the data but cannot actively process it — it is effectively quarantined. This is an alternative to erasure in situations where the grounds for erasure are disputed or where the individual needs the data retained for legal claims.

For a full overview of all eight rights, see our EU data subject rights guide.

FAQ

Frequently Asked Questions

Can I request that Google remove a news article about me from search results? +

You can submit a request to search engines under the right to erasure. The request is evaluated against the public interest in the information. Matters of genuine public concern — particularly involving public figures — are less likely to succeed.

Does erasure under GDPR apply to data held in backups? +

Erasure obligations extend to backup systems, but controllers may have a short period before a backup is overwritten. If data is erased from live systems and the backup is periodically refreshed, this generally satisfies the obligation, provided the backup is not actively processed in the interim.

What if an organisation ignores my erasure request? +

You can complain to your national data protection authority. In the UK this is the ICO; in Germany the relevant Landesbeauftragter fur Datenschutz; in France the CNIL. Supervisory authorities can investigate and issue fines or enforcement orders.

Can employers refuse to delete former employee data? +

Yes, in many cases. Employers often have legal obligations to retain payroll, tax and employment records for statutory periods — typically 6 years or more in many EU jurisdictions. These obligations override the right to erasure for specific data types.

Does the right to erasure apply to deceased persons? +

GDPR covers living individuals only. Data relating to deceased persons is generally not subject to GDPR rights, though some member states have introduced national rules extending protection to posthumous data.

← Back to Blog