Right to Be Forgotten: Your Complete GDPR Compliance Guide
The right to be forgotten has transformed how organizations handle personal data across the globe. Enshrined as the right to erasure in Article 17 of the GDPR, which came into force in May 2018, this fundamental privacy right empowers individuals to reclaim control over their digital footprint. But what does it really mean for your organization's compliance strategy?
Understanding the Right to Be Forgotten
Also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data. This isn't simply a nice-to-have feature—it's a legal obligation that carries significant weight.
The concept gained prominence through the 2014 Court of Justice of the European Union judgment in the case of Google Spain SL and Google Inc. v. AEPD and Mario Costeja González, where the CJEU held that individuals could ask search engines to de-list links to personal data when certain conditions applied. This landmark decision paved the way for what would become one of the GDPR's most discussed provisions.
The numbers tell a compelling story. From 2015 to 2021, 1,066,274 "right to be forgotten" or "right to erasure" requests were submitted to Google and Bing. That's over one million people actively exercising their privacy rights—and the trend continues to grow as awareness increases.
When the Right to Erasure Applies
Organizations must delete personal data when specific conditions are met. An individual has the right to have their personal data erased if: the personal data is no longer necessary for the purpose an organization originally collected or processed it; an organization is relying on an individual's consent as the lawful basis for processing the data and that individual withdraws their consent; or an organization is relying on legitimate interests as its justification for processing an individual's data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
Additional grounds include unlawful processing, compliance with legal obligations, and special protections for children's data. These aren't abstract concepts—they're actionable triggers that require immediate organizational response.
Critical Exceptions You Need to Know
The right to be forgotten isn't absolute. Understanding when you can refuse a deletion request is just as important as knowing when to comply. Organizations can refuse when the data is being used to exercise the right of freedom of expression and information; the data is being used to comply with a legal ruling or obligation; or the data is being used to perform a task that is being carried out in the public interest or when exercising an organization's official authority.
For instance, when the data is necessary to comply with a legal obligation, such as invoices and accounting documents that must be kept for a specific period established by tax law (4 years), you have legitimate grounds to retain it.
The Real Cost of Non-Compliance
Ignoring right to be forgotten requests can be expensive. Non-compliance can result in fines up to 4% of global annual turnover or €20 million, whichever is higher. These aren't empty threats.
Belgium's data protection authority issued its largest-ever fine (€600,000) to Google for failing to implement the right to be forgotten. Meanwhile, Carrefour France was fined EUR 2.25 million by the French CNIL for a number of violations, including not responding to requests to delete data.
The enforcement landscape is only intensifying. Regulators are watching, and they're willing to take action against organizations that don't take data erasure seriously.
Practical Steps for Compliance
Building a compliant erasure process doesn't have to be overwhelming. Start with these actionable steps:
1. Map Your Data Ecosystem
You can't delete what you can't find. Knowing how your data flows throughout the company's and processors' servers can save lots of headaches for your business regarding GDPR compliance. It will also allow you to quickly determine where and how to find the personal data you need to delete.
2. Establish Clear Response Protocols
"Undue delay" is considered to be about a month. That's your window for responding to erasure requests. Create standardized procedures that ensure every request flows through verification, assessment, execution, and confirmation stages.
3. Implement Verification Safeguards
Before erasing data, you must also take reasonable steps to verify the person requesting erasure is actually the data subject. Balance security with accessibility—don't create unnecessary barriers, but protect against fraudulent requests.
4. Address the Backup Challenge
One of the trickiest aspects of data erasure involves backup systems. The main priority is to delete active records from live systems, such as personal data stored in databases, files and customer records. Backups, on the other hand, may remain until they are overwritten according to the organization's retention schedule. However, they must be put "beyond use", meaning they cannot be accessed or processed for any other purpose.
Building a Culture of Data Privacy
Compliance isn't just about avoiding fines—it's about building trust. When customers know you respect their privacy rights, they're more likely to engage with your services confidently.
Develop clear documentation of your erasure process. Train your team on recognizing and handling requests. Implement technology solutions that automate discovery and deletion where appropriate. Most importantly, treat every erasure request as an opportunity to demonstrate your commitment to privacy.
Looking Ahead
The right to be forgotten continues to evolve globally. Several other countries have introduced similar data protection measures: Argentina and the Philippines have implemented RTBF principles under their data protection frameworks; Canada strengthened its privacy laws with the Consumer Privacy Protection Act; South Korea enhanced its Personal Information Protection Act; and India introduced the Digital Personal Data Protection Act (2023), which includes data erasure provisions.
As privacy regulations expand worldwide, organizations that master GDPR's right to erasure will find themselves well-positioned for compliance across multiple jurisdictions. The question isn't whether to implement robust data erasure practices—it's how quickly you can get them in place.
For more information on GDPR Article 17, visit the official Right to be Forgotten Wikipedia page or consult GDPR.eu's comprehensive guide.