Right to Erasure Under GDPR: What You Need to Know

The right to erasure GDPR framework establishes under Article 17 is one of the most powerful rights available to individuals. Often referred to as the “right to be forgotten,” it allows data subjects to request that a controller delete their personal data without undue delay. For Data Protection Officers and compliance teams, erasure requests present a distinctive operational challenge: they demand a careful assessment of legal grounds, an exhaustive data inventory, and a clear understanding of the exceptions that can override the obligation to delete.

According to a report from the European Data Protection Board, erasure requests represent approximately 28% of all data subject rights complaints filed with EU supervisory authorities, second only to access requests. In the United Kingdom, the ICO’s enforcement tracker shows that failures to handle erasure requests properly have triggered formal enforcement action in over 150 cases since the regulation took effect. These numbers signal that regulators take the right to erasure GDPR obligations seriously, and that organizations must have robust processes in place.

This guide explains when the right to erasure applies, what exceptions exist, how to process deletion requests, and where organizations most commonly fall short.

What Is the Right to Erasure Under GDPR?

The right to erasure is codified in Article 17 of the GDPR. It grants every data subject the right to obtain from the controller the erasure of their personal data without undue delay. The controller has a corresponding obligation to erase that data where one of six specific grounds applies.

When Does the Right Apply?

A data subject can invoke the right to erasure GDPR provides in any of the following circumstances:

• The data is no longer necessary for the purposes for which it was collected or processed. This is directly connected to the purpose limitation and storage limitation principles — once data has served its original purpose and no other lawful basis justifies retention, deletion is mandatory.
• The data subject withdraws consent and there is no other legal ground for processing. Where processing was based on valid GDPR consent, withdrawal of that consent triggers the erasure obligation unless another lawful basis applies.
• The data subject objects to processing under Articles 21(1) or 21(2), and there are no overriding legitimate grounds.
• The personal data has been unlawfully processed. Any processing that violates the data privacy principles renders the data subject eligible to demand deletion.
• Erasure is required to comply with a legal obligation in EU or Member State law.
• The data was collected in relation to information society services offered to a child under Article 8(1).

The Extended Obligation Under Article 17(2)

Article 17(2) imposes a further obligation on controllers who have made personal data public. Where a controller has published the data and is obliged to erase it, the controller must take reasonable steps to inform other controllers processing that data about the erasure request. This includes notifying any data processor or third party to whom the data was transmitted. In practice, controllers must maintain records of all downstream data recipients — a requirement that aligns closely with the accountability principle.

What Are the Exceptions to the Right to Erasure?

The right to erasure is not absolute. Article 17(3) sets out exceptions where the controller may lawfully refuse an erasure request. Understanding these exceptions is essential for compliance teams assessing incoming deletion requests.

Grounds for Refusing Erasure

The GDPR permits controllers to refuse erasure where processing is necessary for:

1. Exercising the right of freedom of expression and information. This exception is particularly relevant for media organizations and publishers, ensuring that journalistic, academic, artistic, or literary expression is not curtailed by erasure requests.
2. Compliance with a legal obligation that requires processing under EU or Member State law. Tax records, anti-money-laundering data, and employment records subject to statutory retention periods all fall within this exception.
3. Reasons of public interest in the area of public health under Articles 9(2)(h) and 9(2)(i).
4. Archiving purposes in the public interest, scientific or historical research, or statistical purposes under Article 89(1), where erasure would seriously impair the achievement of those objectives.
5. The establishment, exercise, or defense of legal claims. Organizations may retain data reasonably necessary for ongoing or anticipated litigation.

The French data protection authority, CNIL, has published guidance confirming that controllers must assess each exception on a case-by-case basis. A blanket refusal without a documented justification is itself a compliance violation.

Handling Erasure Requests in Practice

Processing an erasure request under the right to erasure GDPR framework requires a structured, documented workflow. Organizations that lack a clear procedure frequently miss the statutory response deadline, fail to erase data from all systems, or refuse requests without proper justification.

Receiving, Verifying, and Assessing the Request

Every erasure request must be logged with the date of receipt, the identity of the requester, and the specific data or processing activities to which the request relates. As with a data subject access request, controllers must verify the identity of the requester before acting. However, verification measures must be proportionate — Article 12(6) does not permit controllers to impose barriers that discourage individuals from exercising their rights.

Before deleting anything, the compliance team must determine whether one of the six grounds in Article 17(1) is met. If none applies, the request may be declined. Equally important is assessing whether any Article 17(3) exception permits continued retention. This assessment must be documented — the accountability principle demands that controllers demonstrate the reasoning behind every decision.

Executing Deletion Across All Systems

If erasure is required, the controller must delete the personal data from all systems without undue delay. Regulators interpret this to mean within one month of receipt, consistent with the Article 12(3) deadline. An extension of up to two additional months is available for complex cases, but the data subject must be informed of the extension within the initial one-month period.

Deletion must be comprehensive, covering primary databases, email archives, CRM systems, data held by processors and third-party recipients, and any publicly accessible platforms where the data was published. Backup systems present a particular challenge — a survey by the International Association of Privacy Professionals (IAPP) found that 47% of organizations identified backups as their greatest difficulty when executing erasure, since data in backups cannot always be selectively deleted immediately.

Once deletion is complete, the controller must inform the data subject. Under Article 19, the controller must also notify each recipient to whom the personal data was disclosed, unless this proves impossible or involves disproportionate effort. Internal documentation of the entire process is essential for demonstrating compliance.

Enforcement Consequences for Non-Compliance

The enforcement consequences for mishandling erasure requests are substantial. Under Article 83(5)(b), violations of data subject rights can attract fines of up to 20 million EUR or 4% of annual worldwide turnover, whichever is greater. The Spanish data protection authority (AEPD) has imposed fines totaling over 1.5 million EUR specifically for failures to honor erasure requests within the statutory timeline. The Swedish supervisory authority has similarly sanctioned controllers for inadequate responses to deletion requests.

Beyond fines, failure to comply with the right to erasure GDPR mandates can trigger formal complaints, reputational harm, and litigation. Organizations that have experienced a data breach should expect an increase in erasure requests in the aftermath — and failing to respond properly during that period compounds both legal and reputational exposure.

Regulators have also emphasized that organizations cannot circumvent erasure obligations through technical obfuscation. Merely anonymizing, archiving, or restricting access to data does not constitute erasure unless the data is rendered truly irreversible and incapable of identifying an individual.

FAQ

Can an organization charge a fee for an erasure request?

Under Article 12(5), the right to erasure must be exercised free of charge. However, where requests are manifestly unfounded or excessive — particularly when they are repetitive — the controller may charge a reasonable fee based on administrative costs or refuse to act entirely. The burden of demonstrating that a request is manifestly unfounded or excessive falls on the controller.

Does the right to erasure apply to backup systems?

Yes. The right to erasure GDPR framework applies to all copies of personal data, including backups. However, regulators such as the ICO have acknowledged that immediate deletion from backup systems may be technically impractical. Controllers should ensure that backup data is excluded from any future restoration and is deleted when the backup cycle naturally expires. This approach must be documented and communicated to the data subject.

What should organizations do when erasure conflicts with a retention obligation?

When a statutory retention period applies — for instance, tax legislation requiring financial records be kept for seven years — the controller may refuse the erasure request under the Article 17(3)(b) exception. The refusal must be communicated to the data subject with a clear explanation of the legal basis for continued retention and information about their right to lodge a complaint with a supervisory authority.