The Right to Be Forgotten: Your GDPR Compliance Guide
Understanding the Right to Be Forgotten Under GDPR
The right to be forgotten has transformed how organizations handle personal data across the European Union and beyond. Formally known as the right to erasure under Article 17 of the GDPR, this regulation came into force in May 2018, giving individuals unprecedented control over their personal information. But what does this mean for businesses navigating data privacy compliance in 2026?
The concept isn't entirely new. The right gained prominence through the 2014 Court of Justice of the European Union judgment in Google Spain SL and Google Inc. v. AEPD and Mario Costeja González, where the CJEU held that individuals could ask search engines to de-list links to personal data when certain conditions applied. This landmark case set the stage for the comprehensive framework we work with today.
The Scale of Data Erasure Requests
Organizations worldwide are experiencing the real-world impact of this regulation. From 2015 to 2021, 1,066,274 right to be forgotten or right to erasure requests were submitted to Google and Bing. French requests accounted for nearly a fourth of all the submitted requests, demonstrating how actively EU citizens exercise their privacy rights.
These numbers tell an important story: data erasure requests aren't theoretical—they're a practical reality that every organization processing EU citizen data must prepare to handle efficiently and legally.
When Does the Right to Erasure Apply?
Also known as the right to erasure, the GDPR gives individuals the right to ask organizations to delete their personal data. However, it's not an absolute right. Organizations must evaluate each request against specific criteria outlined in Article 17 of the GDPR.
Organizations must delete personal data when at least one of the following grounds applies: The data is no longer necessary for the purposes for which it was collected or processed. Other valid grounds include when individuals withdraw consent and there's no other legal basis for processing, when data has been unlawfully processed, or when deletion is required to comply with a legal obligation.
One critical consideration: If you process data collected from children, you should give particular weight to any request for erasure if the processing of the data is based upon consent given by a child—especially any processing of their personal data on the internet. This is still the case when the data subject is no longer a child, because a child may not have been fully aware of the risks involved in the processing at the time of consent.
Critical Exceptions Every Compliance Officer Should Know
Understanding when you can refuse a deletion request is just as important as knowing when to grant one. Organizations don't have to erase data when it's being used to exercise the right of freedom of expression and information, being used to comply with a legal ruling or obligation, or being used to perform a task that is being carried out in the public interest or when exercising an organization's official authority.
Additional exemptions protect data necessary for public health purposes, scientific research, historical research, or statistical purposes—but only where erasure would impair or halt progress toward the original goal. Financial records required for tax compliance, employee data needed for legal obligations, and information essential for legal claims also remain protected from erasure demands.
Implementation: Your 30-Day Compliance Window
Time matters when handling erasure requests. Organizations must erase personal data without undue delay, and the controller shall have the obligation to erase personal data without undue delay if one of a number of conditions applies. Undue delay is considered to be about a month.
This tight timeline means organizations need robust systems in place before requests arrive. Here's what effective compliance looks like:
Build a Data Inventory
You can't delete what you can't find. Create comprehensive documentation of all personal data you collect, where it's stored, and why you're processing it. This includes data held by third-party processors and backup systems.
Train Your Team
An individual can make a request for erasure verbally or in writing. This request can also be made to any member of your organization, not just to a designated contact. This can create a challenge for an organization as any employee could receive a valid verbal request. Ensure frontline staff can recognize and properly escalate erasure requests.
Establish Clear Workflows
Develop standardized procedures for verifying identities, evaluating whether exceptions apply, coordinating with data processors, and documenting your decisions. Requests should typically be processed within a month, but verification of legitimacy is required.
Notify Third Parties
Your responsibility extends beyond your own systems. If you have disclosed the personal data to others, you must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort.
Beyond Europe: Global Implications
While GDPR applies to EU and EEA residents, the concept is spreading globally. Argentina and the Philippines have implemented RTBF principles under their data protection frameworks. Canada strengthened its privacy laws with the Consumer Privacy Protection Act incorporating erasure rights. South Korea enhanced its Personal Information Protection Act to reinforce individuals' rights over their personal data. India introduced the Digital Personal Data Protection Act (2023), which includes data erasure provisions.
The Bottom Line
The right to be forgotten represents a fundamental shift in how we think about data ownership and privacy. For organizations, compliance isn't optional—it's essential. By understanding when erasure requests apply, implementing efficient response procedures, and training your team to handle requests properly, you can turn regulatory compliance into a competitive advantage that builds customer trust.
Remember: every deletion request is an opportunity to demonstrate your commitment to data privacy and earn the confidence of individuals who entrust you with their personal information.