GDPR Right to Erasure (Article 17)
GDPR Article 17 grants EU residents the right to request deletion of their personal data, with significant penalties for non-compliance.
GDPR Article 17 grants EU residents the right to request deletion of their personal data, with significant penalties for non-compliance.
Continue your mission
The Right to Erasure, commonly known as the 'Right to Be Forgotten,' is established under Article 17 of the European Union's General Data Protection Regulation (GDPR). It grants individuals the right to request that organizations delete their personal data when certain conditions are met. This right is a cornerstone of GDPR's data subject rights framework and reflects the principle that individuals should maintain control over their personal information throughout its lifecycle. The regulation applies to any organization processing personal data of EU residents, regardless of where the organization is headquartered.
Data subjects can request erasure when the data is no longer necessary for its original purpose, when they withdraw consent, when they object to processing and no overriding legitimate grounds exist, when data was unlawfully processed, or when erasure is required by law. Organizations must respond within one month, extendable by two months for complex requests. Controllers must also notify third parties to whom the data was disclosed. However, the right is not absolute. Exemptions exist for data needed for exercising freedom of expression, compliance with legal obligations, public health purposes, archiving in the public interest, or establishing and defending legal claims. Organizations must implement technical measures to verify, locate, and delete data across all systems.
Non-compliance with GDPR erasure requests can result in fines up to 20 million euros or 4% of annual global turnover, whichever is higher. Beyond fines, failure to honor erasure rights damages consumer trust and brand reputation. Organizations must maintain data inventories, implement deletion workflows, and train staff on handling requests. For cybersecurity teams, this means building data mapping capabilities, ensuring backup systems can handle targeted deletions, and documenting compliance.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.