Right to Erasure and How To Handle It (Updated 2025)
What is the Right to Erasure?
The Right to Be Forgotten is a fundamental right defined in GDPR. Also known as the Right to Erasure, this principle is defined in Article 17. Companies must recognise these requests and understand how to deal with them.
Most importantly, the Right to Erasure is not an absolute right, and companies are allowed to retain certain information where this is required to protect themselves from legal action or to allow them to operate their business.
If you receive an RTE, please feel free to contact us – we are always happy to help. You can find more info from the ICO here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
For more background, please keep reading.
RTE – Not an Absolute Right!
One of the highest-profile forms of data privacy protection is the “Right to Erasure” or, as we most know, “The Right to Be Forgotten.” The idea of having the power to compel a company to erase all data traces from their system is a nightmare – if you look from an organisation’s side. Engaging these requests accurately requires well-designed, robust, and perspective methods.
In the General Data Protection Regulation (GDPR), the right to be erased, a.k.a. the right to be forgotten, is the hardest data subject right and even the second most difficult GDPR obligation in practice.
Who Can Request Data Erasure?
Do you remember what Martin Luther King Jr. used to say, “a right delayed is a right denied”? We are going to use this sentence in a different context today. These days, in this modern GDPR era, the data subjects have more rights about their data than ever, following legal frameworks that set guidelines on how to practice those rights. The data subjects can call upon the right to erasure or access at any time about any data you have on them, counting the fines. The words “delay” or “denied” don’t sound very nice, do they?
Imagine dozens of data subjects sending you requests all day, every day, and calling upon their rights. Your system will be in turmoil, not to mention the huge fines that will follow if you fail to provide what they need regarding their personal data.
Legal Basis for the Right to Erasure
So, what should you know about the notorious Right to Erasure?
According to Article 17 of the GDPR, for every natural person who demands the erasure of personal data, the company must provide the service without undue delay. The Right to Erasure, or as we most know, the right to be forgotten, does not always have absolute power. In fact, according to Article 17, the Right to Erasure only applies under the following conditions:
• Personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) and where there is no other legal ground for the processing;
• The data subject objects to the processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
• The personal data have been unlawfully processed;
• The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
• The personal data have been collected in relation to the offer of information society services referred to in Article 8(1);
When does the right to erasure not apply?
As stated above, the GDPR has a few exceptions around the right to erasure that give businesses a way to handle this nightmare easier. According to Article 17, it is important to note that companies do not have to comply with an individual’s right to be forgotten under the following conditions, the companies do not have to comply with an individual’s rights, such as:
• Exercising the right of freedom of expression and information;
• For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
• For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
• For the establishment, exercise, or defence of legal claims.
So, now that you know what is written in Article 17 of the GDPR, should you be worried? Of course, you should. There is plenty you need to know about the Right to Erasure, but is there a way to handle it? Of course there is!
Becoming a fully GDPR-compliant organisation can be intimidating. You need a proactive game plan, but you must be aware that it might not be enough, so you need to keep a backup plan in your sleeves.
A great starting point is conducting an accurate and thorough companywide data audit from both legal and technological standpoints to cover all bases.
Firstly, it is important you review your methods of collecting personal data and your data processing systems so you can be sure you are a fully GDPR compliant organisation. Also, you need to determine what data you will collect, why you have it, how you will use it, and for what purposes. It’s equally important to think about how outdated and irrelevant data will be disposed of and how to safeguard the critical information that is still needed. Do not forget to ask for the minimum amount of information necessary to confirm identity.
When Can a Business Refuse an Erasure Request?
Most customers think that deleting their data is a simple step, just a click away. Well, it’s not as easy as it looks.
The systems, applications, and databases that process personal data should enable the organisation to locate and delete data easily. This can be difficult sometimes, especially if the data is held on different systems or other platforms. Sometimes, you might hold data on the cloud; you must know that all must be deleted.
As mentioned above, a request must be actioned without undue delay, which means that you don’t have long to comply with the erasure. If the request is particularly complex, you might be able to extend it by two months. You must inform the individual before the first month is up by giving a clear reason for the delay. Also, you might want to be prepared for a visit by the regulator if an extension happens because not every individual has an understanding.
It’s important to keep the children in mind; they have special protection under the GDPR. The Right to Erasure is particularly relevant and crucial, especially if it’s available on the internet.
Conclusion
The crucial point for a company to be compliant is to have a full set of policies and procedures constructed to protect all the information it processes. No matter what sector your company operates in or the size of your business, it is essential. If your company breaks any of the data protection laws, it will potentially face an investigation from your supervisory authority, which could also hand out punishment ranging from hefty fines to enforcement notices. For these reasons, an organisation must ensure compliance with a formalised set of data protection policies and procedures.