The European Union’s General Data Protection Regulation (GDPR) is one of the most widely recognized and influential data privacy laws worldwide. It safeguards the personal data of individuals located within the European Union (EU) and European Economic Area (EEA).
The regulation defines “personal data” as any information that relates to an identified or identifiable natural person. This includes obvious identifiers like names and email addresses, as well as less apparent data such as IP addresses, location information, and online identifiers.
The GDPR grants individuals — known as data subjects — rights regarding how organizations collect and use their personal data. Among these rights is the right to be forgotten, which enables them to request its deletion.
Having a clear understanding of how this right works can help organizations set up processes that handle deletion requests efficiently, reduce the risk of noncompliance, and maintain customer trust.
In this article, we’ll examine the grounds and exceptions to the right to be forgotten, who it applies to, and the steps organizations can take to comply.
What is the GDPR right to be forgotten?
Art. 17 GDPR establishes what’s formally known as the “right to erasure,” which empowers individuals to request that their personal data be deleted under specific circumstances.
Organizations must delete personal data when at least one of the following grounds applies:
- The data is no longer necessary for the purposes for which it was collected or processed. New consent must be obtained to use collected personal data for new purposes.
- The data subject withdraws consent, and there is no other legal basis for processing. The GDPR requires one of six legal bases for processing personal data, and that withdrawing consent must be as straightforward as providing it.
- The individual objects to processing under Art. 21 GDPR, and there are no overriding legitimate grounds for processing. This could include retention requirements under other regulations, e.g. in the financial sector. Objections to direct marketing purposes must always be honored.
- The processing was unlawful. Any data handled in breach of the GDPR must be deleted. This is something that EU Member States’ Data Protection Authorities (DPA) can order.
- Erasure is required to meet a legal obligation under EU or Member State law. This right did exist under certain circumstances under EU law prior to the GDPR entering into force.
- The personal data was collected from minors through online services offered directly to them. The world’s data privacy laws typically restrict access to children’s data and require special handling of it, including requiring prior consent from a parent or guardian.
Data subjects can have their personal data erased by a controller “without undue delay” if one of these grounds applies. The GDPR specifies a standard response time of one month for handling such requests, with possible extensions up to two months for complex cases.
When a controller has made personal data public and receives an erasure request, it must delete its own copies and take reasonable steps to inform other data processors to erase the information as well.
Under the GDPR data controllers are generally responsible for the processing and compliance procedures of third parties doing data processing for them.
The law does not define erasure, and it is generally accepted to mean the deletion of personal data. However, the method of erasure can depend on context. Controllers might achieve compliance through:
- Complete removal or deletion of personal data. This is the most common interpretation of the requirement.
- Anonymization, only if:
- The personal data can no longer be linked to the individual
- The anonymization prevents reidentification, considering “all the means reasonably likely to be used…either by the controller or by another person to identify the natural person directly or indirectly.”
- Deindexing, as seen in some search engine cases.
Art. 19 GDPR complements the right to erasure by requiring controllers to notify all third-party recipients when personal data is erased, rectified, or restricted following a data subject’s request.
If controllers have disclosed personal information to external parties, including third-party data processors, they must notify those parties so they can also delete, correct, or limit further processing of the individual’s personal data. This obligation applies “unless this proves impossible or involves disproportionate effort.”
Exceptions to the GDPR right to be forgotten
The right to erasure is not absolute. Organizations can lawfully refuse deletion requests when processing is necessary for specific purposes. Organizations may retain or process data despite an erasure request to the extent that the data is necessary for:
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation
- Performing a task in the public interest or in the exercise of official authority
- Reasons of public interest regarding public health, and when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy
- Archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes
- Establishing, exercising, or defending legal claims
How did the right to be forgotten come about?
The concept of a “right to be forgotten” first appeared under the 1995 Data Protection Directive (Directive 95/46/EC), though its scope was more limited. The Data Protection Directive — the predecessor to the GDPR — enabled individuals to request blocking or erasure of personal data that was inaccurate or no longer necessary.
That limited right gained prominence through the 2014 Court of Justice of the European Union (CJEU) judgment in the case of Google Spain SL and Google Inc. v. AEPD and Mario Costeja González, where the CJEU held that individuals could ask search engines to de-list links to personal data when certain conditions applied.
This decision established that search engines must respect an individual’s request to remove outdated or irrelevant results.
When the GDPR came into effect in 2018, it formalized and expanded this right under Article 17. The new regulation:
- Specified the conditions under which the right to erasure applies
- Clarified the exceptions to the right
- Added new obligations for data controllers, including notification duties under Article 19
Who has the right to be forgotten under the GDPR?
Individuals located in the EU/EEA whose personal data is handled by a controller have the right to be forgotten under the GDPR.
Only natural persons — which means actual people rather than companies, associations, or other legal entities — can exercise this right and submit a request for erasure under Article 17. Organizations cannot invoke this right for data belonging to their business operations.
The geographic location of the individual determines whether they have this right, regardless of where the data controller or processor operates from. The GDPR protects the data of individuals located within the EU/EEA.
Who must comply with a data erasure request?
The GDPR has extraterritorial reach, meaning its jurisdiction extends beyond EU/EEA borders. Any organization that processes the personal data of individuals in the EU/EEA must honor a valid erasure request. This includes:
- Controllers or processors established within the EU that process relevant personal data, even if processing occurs outside the EU/EEA
- Organizations established or located outside the EU that process the personal data of EU/EEA residents, and:
- offer them goods or services, including free offerings
- monitor the behavior of individuals located in the EU/EEA
- Controllers established outside the EU but in a place where Member State law applies as a result of public international law
Public entities, private companies, and nonprofits all face identical obligations when handling covered personal data. There are no exemptions based on organizational structure or mission.
GDPR right to be forgotten and the blockchain
The GDPR mandates that data must be modifiable or erasable to meet legal obligations, including erasure requests from data subjects. Blockchain technology operates on the opposite principle — it prioritizes data immutability to maintain integrity and trust.
This fundamental design difference creates a direct conflict between the GDPR’s requirements for data modification and deletion and blockchain technology’s functionality.
The European Data Protection Board (EDPB), which helps apply the regulation consistently across the EU, has adopted guidelines on the processing of personal data through blockchain technologies.
The guidelines recommend that controllers:
- Design systems to honour erasure and objection rights by default. If controllers are unable to delete on‐chain data, they should render it effectively anonymous so re-identification is reasonably unlikely.
- Recognize that on‐chain deletion may prove technically impracticable and consider alternative tools or architectures when immutability isn’t essential.
- Avoid storing personal data directly on‐chain—especially when it is stored as clear text, encrypted, or hashed data—and shift that information off‐chain whenever possible.
- Uphold the storage limitation principle by minimizing how much personal data is stored on‐chain, how long it is retained, and who can access it.
How to process a GDPR right to be forgotten request
A request for erasure is considered a data subject access request (DSAR) under the GDPR. Organizations must establish clear procedures for handling these requests to meet GDPR compliance obligations.
Although there is no mandated procedure, Art. 12 GDPR does lay out specific obligations that businesses must follow.
1. Provide a way for individuals to submit erasure requests
Organizations need to create clear, accessible mechanisms by which data subjects can submit erasure requests, such as web forms, privacy portals, or dedicated email addresses.
Instructions for how individuals can make these requests must be included in privacy policies and other user-facing materials. The submission method should work properly across all devices and employ simple user interface designs that don’t obscure the process.
Data subjects might not use precise legal terminology when they request data deletion, so staff should be trained to identify what constitutes a request. Teams should treat expressions like “please delete my account/data” as an Article 17 request.
Once organizations receive a request for erasure, they should log it in a tracking system to maintain proper records and monitor response timelines.
2. Authenticate the requestor’s identity
Organizations must verify that the person submitting the request is the data subject or has the legal authority to act on their behalf.
When requests come through an account the individual is logged in to or from a registered email address, this may count as verification.
In other cases, organizations can ask for additional information to confirm identity, and can deny a request if the individual’s identity cannot reasonably be verified, but they cannot compel individuals to create new accounts for the sole purpose of submitting DSARs.
In alignment with the GDPR’s data minimization principle, organizations should request the least amount of personal data necessary for identity verification.
It’s a delicate balance. Organizations need to confirm the requestor’s identity without creating excessive hurdles that could obstruct the right to erasure. Too many verification steps may discourage legitimate requests, while insufficient verification could lead to unauthorized access to personal information.
3. Acknowledge receipt of the request
Although not a GDPR requirement, it is good practice for controllers to send confirmation promptly after receiving an erasure request, even if identity verification remains pending. This supports transparency, another core GDPR principle.
The acknowledgment should include next steps and expected timelines for response. Under the GDPR, controllers have one month from the date of the DSAR request to provide information on the action taken.
If controllers need extra time — because a request proves complex or they face unusually high volumes — they must notify the individual before the one-month deadline. The time limit can extend by up to two additional months under these circumstances, but the data subject must receive notification about the extension and the reasons for it before the initial month expires.
4. Clarify the nature and scope of the request
Controllers must assess whether the request for erasure falls under the GDPR’s jurisdiction and determine if the required grounds in Article 17 are met.
When requests lack clarity, controllers may follow up with the individual to confirm exactly what personal data they want deleted.
Controllers should apply the criteria under Article 17 to verify whether the request meets valid grounds for erasure, such as the data being no longer necessary for its original purpose or consent has been withdrawn.
Organizations must also check for exemptions that might prevent data deletion, such as when data must be retained for legal claims or compliance obligations.
It’s important to note that controllers cannot charge a fee for deleting an individual’s personal data, unless the requests are “manifestly unfounded or excessive,” especially if the individual makes too many repeat requests. In this case, the controller may charge a reasonable fee based on administrative costs, or simply refuse the request.
5. Delete the personal data
When controllers receive a valid request that meets the criteria outlined in Article 17, they must remove the personal data from all systems, platforms, and third-party services where it may exist. This includes archives and backups, as feasible.
Under Article 19, organizations must also notify any processors and third-party recipients who store the data so they can delete their copies as well. Doing so fulfills the broader obligation to address all instances of the personal data.
6. Notify the requester when the process is complete
Organizations must provide clear communication once they finish processing an erasure request. The notification should explain exactly what data was deleted, and, when applicable, what information was retained along with the justification for retention. This transparency helps individuals understand that their request was properly addressed.
The notification must also include information about the requester’s right to lodge a complaint with a supervisory authority if they disagree with how their request was handled, especially if the erasure request was denied.
It should include the name and contact details of the relevant authority to enable the requester to exercise that right under the GDPR.
7. Document the request and your response
The GDPR’s accountability principle requires organizations to demonstrate compliance, and regulators encourage controllers to keep detailed records of data subject requests and their responses.
Proper documentation is necessary for organizations to prove that they handled requests appropriately during audits or if questioned by supervisory authorities.
For each request for erasure, controllers should log specific information, including:
- Date the request was received
- Identity of the requester and verification methods used
- Outcome, along with justification
- What data was deleted or retained
- Date the data was deleted
- Date the controller responded to the individual
These records serve as evidence of proper handling. They also help organizations track patterns in requests that might inform future data handling practices.
GDPR right to be forgotten fines
The GDPR divides penalties into two tiers, depending on the severity of the violation.
Infringement of data subject rights is considered a serious breach. Under Art. 83(5) GDPR, it can result in a fine of up to EUR 20 million or four percent of global annual turnover, whichever is higher.
Achieving GDPR compliance with Usercentrics CMP
Violating the GDPR can result in massive financial penalties that threaten organizational stability. Beyond monetary consequences, data protection authorities can impose corrective actions such as processing restrictions, mandatory data deletion requirements, or operational changes to data handling practices.
Compliance failures can also seriously harm your organization’s reputation, undermine customer trust, and discourage potential investors, partners, or advertisers.
GDPR compliance can be complex, but working with appropriate tools and resources simplifies the process. Using a consent management platform (CMP) like Usercentrics CMP helps organizations meet GDPR requirements for handling personal data and collecting it through digital channels.
Usercentrics CMP simplifies managing user consent, helps you understand what data your website collects, and supports provision of compliance documentation if an audit occurs.
Usercentrics CMP provides an easy way for data subjects to withdraw consent — one of the Article 17 grounds for personal data deletion — and maintains comprehensive audit trails documenting user consent decisions. Users can also update their consent preferences at any time.
When users who previously provided consent later request deletion, you can preserve records that show initial consent followed by withdrawal, supporting compliance documentation requirements.
Usercentrics does not provide legal advice, and information is provided for educational purposes only. We always recommend engaging qualified legal counsel or privacy specialists regarding data privacy and protection issues and operations.