Why It Matters
The right to erasure is one of the most well-known GDPR rights and one of the most frequently exercised by individuals. Search engines like Google receive millions of erasure requests per year. For businesses, handling these requests correctly — within the one-month deadline — is critical to avoiding complaints and fines.
When Does the Right Apply?
A data subject can request erasure when:
- The data is no longer necessary for the purpose it was collected
- Consent is withdrawn and there is no other legal basis
- The data subject objects to processing and there are no overriding legitimate grounds
- The data was unlawfully processed
- Legal obligation requires erasure
- The data was collected from a child in relation to information society services
When Can You Refuse?
The right to erasure is not absolute. Organizations can refuse when processing is necessary for:
- Freedom of expression and information (journalism, academic research)
- Legal obligations (tax records, employment law requirements)
- Public health purposes
- Archiving in the public interest, scientific or historical research
- Establishment, exercise, or defense of legal claims
How to Handle a Request
- Verify the identity of the requester
- Respond within one month (extendable by two months for complex requests, with notice)
- Delete the data from all systems — production databases, backups, logs, third parties
- Inform any third parties to whom the data was disclosed
- Document the request and your response — even if you refuse, explain why
- If you refuse, inform the data subject of their right to lodge a complaint with the supervisory authority
Key Regulation
- GDPR Article 17 — right to erasure
- CJEU "Google Spain" ruling (2014) — established the "right to be forgotten" in search results
- EDPB Guidelines on data subject rights — process guidance