This comprehensive guide explains GDPR fundamentals, the Right to Be Forgotten, key principles, and how organizations achieve compliance.
The General Data Protection Regulation (GDPR) has transformed how organizations handle personal data, with the Right to Be Forgotten emerging as one of its most powerful provisions.
According to the European Data Protection Board:
“30 Data Protection Authorities across Europe launched coordinated enforcement on the right to erasure in 2025, demonstrating the continued importance of this fundamental right.”
Exabeam explains that:
“The right to erasure empowers individuals to ensure that their personal data is no longer processed and, in some cases, dictates that the data should be completely removed from all records.”
Source: GDPR Overview
GDPR Overview: Understanding EU Data Protection Law
The General Data Protection Regulation represents the European Union’s comprehensive framework for data protection and privacy. Effective since May 25, 2018, GDPR establishes strict requirements for how organizations collect, process, store, and protect personal data.
What Is GDPR?
GDPR is a regulation (not a directive), meaning it applies directly across all EU member states without requiring national legislation. The regulation aims to give individuals control over their personal data while simplifying the regulatory environment for international business by unifying data protection rules across Europe.
Territorial Scope: GDPR applies to organizations that process personal data of EU residents, regardless of where the organization is located. This extraterritorial reach means businesses worldwide must comply if they:
- Have an establishment in the EU
- Offer goods or services to individuals in the EU
- Monitor behavior of individuals in the EU
A small business in the United States selling products to European customers must comply with GDPR, making it truly global legislation.
Key GDPR Definitions
Personal Data: Any information relating to an identified or identifiable person (data subject). This includes names, identification numbers, location data, online identifiers, and factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity.
Data Subject: The individual whose personal data is being collected and processed. GDPR empowers data subjects with specific rights over their information.
Data Controller: The entity determining purposes and means of processing personal data. Controllers make decisions about what data to collect and how to use it.
Data Processor: Organizations processing personal data on behalf of controllers. Processors follow controller instructions but also have direct GDPR obligations.
Processing: Any operation performed on personal data including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.
GDPR Penalties and Enforcement
GDPR includes substantial penalties for violations:
- Tier 1 violations: Up to €10 million or 2% of annual global turnover (whichever is higher)
- Tier 2 violations: Up to €20 million or 4% of annual global turnover (whichever is higher)
These penalties apply to the most serious violations, including processing data without a legal basis, violating fundamental principles, or failing to respect data subject rights.
Source: GDPR-Right to Erasure
The Right to Be Forgotten: Article 17 Explained
The Right to Be Forgotten, officially called the Right to Erasure under Article 17, gives individuals the power to have their personal data deleted under specific circumstances.
What Is the Right to Erasure?
GDPR Local defines it as:
“A fundamental right defined in GDPR. Also known as the Right to Be Forgotten, this principle is defined in Article 17.”
The UK ICO clarifies that:
“Under Article 17 of the UK GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.”
When individuals exercise this right, organizations must erase their personal data without undue delay. The right extends beyond just deletion from primary systems it includes backups, archives, and data held by third-party processors.
When Does the Right to Erasure Apply?
Article 17 of GDPR specifies that individuals can request erasure when:
1. Data No Longer Necessary: Personal data is no longer needed for the purposes for which it was collected or processed. If you signed up for a newsletter but no longer receive it, the company should delete your email address.
2. Consent Withdrawn: The individual withdraws consent on which processing is based, and there is no other legal ground for processing. If you consented to data processing and revoke that consent, the organization must erase your data unless another legal basis exists.
3. Objection to Processing: The individual objects to processing based on legitimate interests or direct marketing, and there are no overriding legitimate grounds for processing.
4. Unlawful Processing: Personal data has been processed unlawfully, such as without proper legal basis or in violation of GDPR requirements.
5. Legal Obligation: Erasure is required to comply with a legal obligation under EU or member state law.
6. Children’s Data: Personal data was collected from children in relation to information society services (websites, apps, online platforms). GDPR provides special protections for children’s data.
Exceptions and Limitations
Exabeam notes that:
“Article 17 is not an absolute right but can be exercised under specific conditions.”
Organizations can refuse erasure requests when:
Freedom of Expression: Processing is necessary for exercising freedom of expression and information rights.
Legal Obligations: Compliance with legal obligations requires retaining the data, such as tax records or employment documentation.
Public Interest: Processing serves public interest purposes in public health, scientific or historical research, or statistical purposes.
Legal Claims: Establishing, exercising, or defending legal claims requires the data. Organizations involved in litigation can retain relevant data.
Archiving: Data is needed for archiving purposes in the public interest, scientific or historical research, or statistical purposes, and erasure would render impossible or seriously impair achievement of processing objectives.
Processing Timeline
GDPREU.org explains that
“Requests should typically be processed within a month, but verification of legitimacy is required.”
Organizations must:
- Respond within one month of receiving the request
- Extend by up to two additional months for complex requests (with explanation)
- Verify the requester’s identity before processing
- Provide clear information if refusing the request
- Notify third parties who received the data about the erasure
Source: GDPR Article 17 Compliance
Key GDPR Principles: Foundation of Data Protection
GDPR establishes seven fundamental principles that govern all data processing:
1. Lawfulness, Fairness, and Transparency
Personal data must be processed lawfully, fairly, and transparently. Organizations must have a legal basis for processing (consent, contract, legal obligation, vital interests, public task, or legitimate interests) and be transparent about data practices through clear privacy notices.
2. Purpose Limitation
Data can only be collected for specified, explicit, and legitimate purposes. Organizations cannot collect data “just in case” or repurpose data for unrelated activities without additional legal basis.
3. Data Minimization
Only collect personal data that is adequate, relevant, and limited to what is necessary for processing purposes. If you don’t need a customer’s date of birth for your service, don’t ask for it.
4. Accuracy
Personal data must be accurate and kept up to date. Organizations must take reasonable steps to ensure accuracy and provide mechanisms for data subjects to correct inaccurate information.
5. Storage Limitation
Data should only be kept in identifiable form for as long as necessary for processing purposes. Organizations must establish retention schedules and delete data when no longer needed.
6. Integrity and Confidentiality
Personal data must be processed securely using appropriate technical and organizational measures. This includes protection against unauthorized access, accidental loss, destruction, or damage.
7. Accountability
Organizations must demonstrate compliance with GDPR principles through documentation, policies, staff training, and regular audits. Accountability is not just complying but proving compliance.
Consent Under GDPR: Requirements and Best Practices
Consent is one legal basis for processing personal data, but GDPR sets high standards for valid consent:
Requirements for Valid Consent
Freely Given: Consent must be voluntary, without pressure, deception, or significant imbalance of power. Pre-checked boxes don’t constitute valid consent.
Specific: Consent must relate to specific processing purposes. Blanket consent for all activities is invalid.
Informed: Individuals must understand what they’re consenting to, including data controller identity, processing purposes, data types collected, and their right to withdraw consent.
Unambiguous: Consent requires clear affirmative action. Silence, inactivity, or pre-ticked boxes don’t constitute consent.
Withdrawable: Individuals can withdraw consent easily at any time. Withdrawal must be as simple as giving consent initially.
Source: Consent-Requirements
Special Protections for Children
Organizations offering information society services directly to children must obtain parental consent for children under 16 (member states can lower to 13). Age verification mechanisms must be implemented where children are users.
Consent vs. Other Legal Bases
Consent isn’t always the most appropriate legal basis. For employment relationships, contractual performance, or legal obligations, other bases may be more suitable. Organizations should carefully evaluate which legal basis applies to each processing activity.
Data Subject Rights Under GDPR
Beyond the Right to Erasure, GDPR grants data subjects comprehensive rights:
Right to Access (Article 15)
Individuals can request confirmation of whether their data is being processed and obtain copies of their personal data. This includes information about processing purposes, data categories, recipients, retention periods, and their other rights.
Right to Rectification (Article 16)
Data subjects can request correction of inaccurate personal data and completion of incomplete data. Organizations must respond promptly and notify relevant third parties of corrections.
Right to Restriction of Processing (Article 18)
Individuals can request processing limitation while accuracy is verified, processing is unlawful but erasure is not wanted, data is no longer needed but required for legal claims, or objection to processing is pending verification.
Right to Data Portability (Article 20)
Where processing is based on consent or contract and carried out by automated means, individuals can receive their data in structured, commonly used, machine-readable format and transmit it to another controller.
Right to Object (Article 21)
Data subjects can object to processing based on legitimate interests, direct marketing (absolute right), or processing for scientific or historical research purposes.
Rights Related to Automated Decision-Making (Article 22)
Individuals have the right not to be subject to solely automated decisions producing legal effects or similarly significant effects, including profiling, with specific exceptions.
Source: GDPR Article Flow Chart
Achieving GDPR Compliance: Organizational Steps
Organizations must implement comprehensive programs to achieve and maintain GDPR compliance:
1. Data Mapping and Inventory
Document all personal data processing activities including data types collected, processing purposes, legal bases, retention periods, data sources, recipient categories, and international transfers. Create a Record of Processing Activities (ROPA) as required by Article 30.
2. Privacy by Design and Default
Build data protection into systems and processes from the outset. Implement technical measures like encryption, pseudonymization, and access controls. Configure systems to process only necessary data by default.
3. Data Protection Impact Assessments
Conduct DPIAs for high-risk processing including large-scale special category data, systematic monitoring, or automated decision-making. Document risks and mitigation measures.
4. Implement Individual Rights Procedures
Establish processes for handling data subject requests including identity verification, request tracking, response templates, and third-party notification procedures. Train staff on recognizing and escalating requests.
5. Vendor Management
Ensure processors comply with GDPR through written contracts specifying processing instructions, security measures, sub-processor requirements, and data return or deletion upon termination.
6. Breach Response Procedures
Develop incident response plans including breach detection, assessment, documentation, notification to supervisory authorities (within 72 hours), and communication to affected individuals when required.
7. Staff Training and Awareness
Provide regular GDPR training covering principles, individual rights, security practices, breach reporting, and role-specific responsibilities. Update training as requirements evolve.
8. Documentation and Accountability
Maintain comprehensive documentation demonstrating compliance including policies, procedures, training records, DPIA outcomes, breach logs, and data processing agreements.
Conclusion
The GDPR and Right to Be Forgotten represent fundamental shifts in how personal data must be handled, giving individuals unprecedented control over their information. Understanding that GDPR applies extraterritorially to any organization processing EU residents’ data makes compliance essential for businesses worldwide.
The Right to Erasure under Article 17 empowers individuals to have their data deleted when it’s no longer necessary, consent is withdrawn, processing is unlawful, or other specific conditions apply. However, this right has limitations when freedom of expression, legal obligations, public interest, legal claims, or archiving purposes require data retention.
GDPR’s seven key principles, including lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability, provide the foundation for compliant data processing. Valid consent requires being freely given, specific, informed, unambiguous, and easily withdrawable, with special protections for children under 16.
Beyond erasure, data subjects enjoy comprehensive rights including access, rectification, restriction, portability, objection, and rights regarding automated decision-making. Organizations achieve compliance through data mapping, privacy by design, impact assessments, rights procedures, vendor management, breach response, staff training, and thorough documentation.
With 30 European Data Protection Authorities launching coordinated enforcement on erasure rights in 2025, organizations must prioritize GDPR compliance to avoid penalties reaching €20 million or 4% of global turnover while respecting fundamental privacy rights that define modern data protection.
Frequently Asked Questions
What Is the Right to Be Forgotten Under GDPR?
The Right to Be Forgotten, defined in Article 17 of GDPR, allows individuals to request deletion of their personal data when it’s no longer needed, consent is withdrawn, or processing is unlawful. It ensures users can regain control of their digital footprint.
How Can a Company Comply With the Right to Erasure?
Organizations must establish clear data deletion policies, verify identity before erasure, and notify third parties who received the data. GDPR requires responses within one month, ensuring compliance with Article 17 obligations.
What Are the Penalties for Violating GDPR Rules?
Non-compliance can lead to fines of up to €20 million or 4% of annual global turnover, whichever is higher. Violations like ignoring erasure requests or processing data unlawfully fall under Tier 2 penalties.
Does the Right to Be Forgotten Apply Outside the EU?
Yes. GDPR’s extraterritorial scope means it applies to any organization processing data of EU residents, even if the business operates outside the EU. This includes companies offering goods, services, or tracking EU users online.
When Can an Organization Refuse a Data Erasure Request?
A company can deny deletion if data is needed for legal obligations, public interest, freedom of expression, or legal claims. These exceptions ensure data protection rights are balanced with other fundamental rights.
