GDPR Right to Erasure (Right to Be Forgotten): Complete Guide

Of all the rights that GDPR grants to individuals, the right to erasure — commonly known as the “right to be forgotten” — is the one that creates the most anxiety for businesses. The idea that a customer or website visitor can demand you delete everything you hold on them sounds alarming. What about your records? What about legal obligations? What about your backups?

The good news is that the right to erasure is not absolute. There are clear rules about when it applies, when you can refuse, and how you must respond. This guide walks you through every aspect of Article 17 so you can handle erasure requests confidently and keep your business compliant.

What Is the Right to Erasure Under GDPR?

Article 17 of the General Data Protection Regulation gives individuals (known as “data subjects”) the right to request the deletion of their personal data. When a valid erasure request is made, the data controller must erase the personal data “without undue delay” — which GDPR defines as within one calendar month.

The right was inspired by the landmark Google Spain v AEPD (2014) ruling, in which the Court of Justice of the European Union held that individuals could require search engines to remove links to outdated or irrelevant information about them. GDPR codified this principle into a broader right that applies to all data controllers, not just search engines.

It is important to understand that the right to erasure is not a blanket right to demand deletion in all circumstances. The individual must have a valid ground for their request, and the controller may have legitimate reasons to refuse.

The Six Grounds for Erasure

An individual can request erasure when any of the following conditions apply:

1. Consent Has Been Withdrawn

If you process someone’s data based on their consent, and they withdraw that consent, they have the right to request erasure of the data you collected under that consent. For example, if someone signed up for your newsletter and later unsubscribes, they can ask you to delete their email address and any associated data. You may only keep the data if you have another lawful basis for processing it.

2. Data Is No Longer Necessary

If you collected data for a specific purpose and that purpose has been fulfilled, the individual can request deletion. For instance, if you collected someone’s address to ship a product and the product has been delivered, the original purpose is complete. You would need a separate lawful basis (such as legal obligation for tax records) to continue holding it.

3. The Individual Objects to Processing

Under Article 21, individuals can object to processing carried out under “legitimate interests” or “public task” lawful bases. If they object and you have no overriding legitimate grounds, you must erase the data. If the processing is for direct marketing, the individual has an absolute right to object and request erasure — no balancing test is required.

4. Data Was Processed Unlawfully

If personal data was collected or processed without a valid lawful basis — for example, you collected data without consent where consent was required — the individual can demand erasure. This also applies if data was obtained through a breach of another GDPR provision.

5. Legal Obligation Requires Erasure

If EU or member state law requires you to delete data, the individual can invoke this ground. This is less commonly encountered in practice but exists to ensure GDPR aligns with other legal requirements for data deletion.

6. Data Was Collected From a Child

GDPR provides enhanced protections for children’s data. Where personal data was collected from a child in relation to information society services (such as a website or app), the individual — even after reaching adulthood — has a strengthened right to erasure. The rationale is that children cannot fully understand the risks of data processing at the time of collection.

When You Can Refuse an Erasure Request

The right to erasure is not absolute. Article 17(3) sets out specific exemptions where you are entitled — and in some cases required — to refuse:

Freedom of Expression and Information

If erasing the data would conflict with the right to freedom of expression and information, you can refuse. This primarily protects journalistic, academic, artistic, and literary expression. A news website, for example, is not required to delete an accurate article about a public figure simply because that person requests erasure.

Compliance With a Legal Obligation

If you are legally required to retain the data, you must refuse the erasure request. Common examples include financial transaction records (retained for six years under UK tax law), employment records, and anti-money laundering data. Your privacy policy should explain these retention requirements.

Public Interest in Public Health

Data processed for reasons of public interest in the area of public health — such as protecting against serious cross-border health threats — is exempt from erasure requests. This exemption proved particularly relevant during the COVID-19 pandemic.

Archiving in the Public Interest, Research, or Statistics

If data is processed for archiving purposes in the public interest, scientific or historical research, or statistical purposes, and erasure would seriously impair that processing, you can refuse. This protects academic and research institutions that rely on longitudinal datasets.

Establishment, Exercise, or Defence of Legal Claims

If you need the data to establish, exercise, or defend legal claims, you can refuse erasure. For example, if a customer requests erasure but has an outstanding dispute or potential lawsuit with your business, you are entitled to retain the relevant data until the matter is resolved.

How to Handle Erasure Requests: Step by Step

Handling an erasure request correctly is not simply a matter of pressing “delete.” There is a defined process you must follow:

Step 1: Verify the Requester’s Identity

Before erasing any data, you must verify that the person making the request is who they claim to be. Deleting someone’s data in response to a fraudulent request would itself be a data breach. Ask for enough information to confirm identity, but do not collect more personal data than necessary for verification.

Step 2: Assess Whether the Request Is Valid

Determine which of the six grounds applies. If none applies, or if an exemption applies, you may refuse. You must inform the individual of your decision and the reasons for refusal, along with their right to complain to a supervisory authority.

Step 3: Respond Within 30 Days

GDPR requires you to respond to erasure requests within one calendar month. This deadline can be extended by a further two months for complex or numerous requests, but you must inform the individual of the extension within the first month and explain why.

Step 4: Erase the Data

If the request is valid, erase all of the individual’s personal data from your active systems. This means removing it from databases, CRMs, email lists, spreadsheets, and any other system where it is stored. Partial erasure is not sufficient — you must delete all personal data that falls under the request.

Step 5: Notify Third Parties

Under Article 17(2), if you have made the personal data public or shared it with third parties, you must take reasonable steps to inform those third parties of the erasure request. This includes processors, partner organisations, and any other entity you have shared the data with. Article 19 reinforces this by requiring you to communicate the erasure to each recipient of the data.

Step 6: Keep a Record

Ironically, you should keep a record of the erasure request itself — the date it was received, the decision you made, and the actions you took. This record should not contain the personal data that was deleted, but should demonstrate that you handled the request in compliance with GDPR. This is essential for accountability under Article 5(2).

Technical Considerations

Backups

One of the most common questions about the right to erasure is what happens to data in backups. The ICO’s guidance states that if it is genuinely impossible or disproportionately difficult to erase data from backup systems, you can retain it in backups on the condition that the backup data is isolated, not actively used, and will be overwritten in the normal course of your backup cycle. However, if the backup is restored, you must re-erase the data at that point.

Third-Party Services

If you use third-party processors — payment gateways, analytics platforms, email marketing services, CRM systems — you must instruct them to delete the individual’s data as well. Your Data Processing Agreements (DPAs) with these providers should include provisions for handling erasure requests.

Search Engine Delisting

The right to erasure can extend to search engine results. If an individual has had their data erased from your website, they may also request that search engines remove cached or indexed versions. While you are not responsible for making this request on their behalf, you should inform them that they can submit a removal request directly to Google, Bing, and other search engines.

Anonymisation as an Alternative

In some cases, anonymising data rather than deleting it outright can satisfy both the erasure request and your business needs. Truly anonymised data (where the individual cannot be re-identified by any means) falls outside GDPR’s scope entirely. However, pseudonymisation — where data can still be re-linked to an individual — does not qualify as erasure.

What Your Privacy Policy Must Say About Erasure

Under Articles 13 and 14 of GDPR, your privacy policy must inform individuals of their right to erasure. At a minimum, your policy should include:

• A clear statement that individuals have the right to request deletion of their personal data
• The circumstances in which erasure applies (or a reference to Article 17)
• How to submit an erasure request (email address, online form, or other mechanism)
• Your timeframe for responding (one month)
• Any circumstances in which you may refuse (legal obligations, legal claims, etc.)
• The right to lodge a complaint with the supervisory authority (the ICO in the UK) if the request is refused

Vague language like “you may have certain rights regarding your data” is not sufficient. GDPR requires transparency — your policy must be specific and written in clear, plain language.

Penalties for Non-Compliance

Failing to comply with erasure requests can result in significant fines. Under GDPR, violations of data subject rights fall under the higher tier of fines: up to €20 million or 4% of global annual turnover, whichever is greater.

Enforcement is not theoretical. In 2024, the Swedish Data Protection Authority fined a company SEK 12 million for failing to erase customer data upon request. The Spanish AEPD has issued dozens of fines specifically for erasure violations, many in the €50,000–€200,000 range. Even where fines are smaller, the reputational damage and regulatory scrutiny that follow can be far more costly.

Beyond fines, individuals who suffer damage as a result of a GDPR violation — including a failure to honour an erasure request — have the right to seek compensation through the courts.

The Google Spain Ruling and Its Legacy

The right to be forgotten entered public consciousness in 2014 with the landmark Google Spain SL v Agencia Española de Protección de Datos case. Mario Costeja González, a Spanish citizen, requested that Google remove search results linking to a 1998 newspaper article about the forced sale of his property due to social security debts. The debt had long been resolved, but the article remained easily discoverable.

The Court of Justice of the European Union ruled in his favour, establishing that search engines are data controllers and that individuals have the right to request delisting of results that are “inadequate, irrelevant or no longer relevant, or excessive.” The ruling did not require the original article to be deleted — only the search engine links.

Since 2014, Google has received millions of delisting requests and removed approximately half of the URLs submitted. The principle has been reinforced by subsequent rulings and was formally codified in GDPR’s Article 17 when the regulation took effect in 2018.

The Google Spain legacy means that the right to erasure is not limited to your own databases. If your business publishes personal information online — in blog posts, directories, reviews, or user profiles — an erasure request may require you to remove that information from public-facing pages and request its delisting from search engines.

Practical Tips for Businesses

• Create a documented process for handling erasure requests before you receive one. Having a clear workflow avoids panic and missed deadlines.
• Maintain a data inventory so you know exactly where personal data is stored across all your systems. You cannot erase data you cannot find.
• Review your Data Processing Agreements with third-party providers to ensure they include obligations to delete data on your instruction.
• Train your team to recognise erasure requests. They do not have to mention GDPR or Article 17 — any clear request to delete personal data triggers the obligation.
• Do not charge a fee for erasure requests. Unlike Subject Access Requests, which can attract a fee in limited circumstances, erasure requests must be handled free of charge (unless manifestly unfounded or excessive).
• Respond even if you refuse. You must always acknowledge the request, explain your decision, and inform the individual of their right to complain. Silence is never acceptable.

Get Your Privacy Policy Right

A well-drafted privacy policy that clearly explains erasure rights is not just a legal requirement — it builds trust with your users and reduces the risk of complaints and enforcement action. Your policy should leave no ambiguity about what data you hold, how long you keep it, and how individuals can request its deletion.

LegalForge generates GDPR-compliant privacy policies that cover the right to erasure and every other data subject right required by Articles 13 and 14. Answer a few questions about your business, and receive a tailored privacy policy, terms of service, and cookie policy — all for a one-time £19 payment.