B
Boring Governance

What Is the Right to Erasure? GDPR Article 17 Explained

A plain-English guide to the GDPR right to erasure (right to be forgotten). Covers Article 17 in detail: the six grounds for erasure, the exceptions, how it relates to DSARs, and a practical process for handling erasure requests.

Last updated: 2026-02-07

The right to erasure -- also known as the "right to be forgotten" -- is one of the most high-profile rights under GDPR. It is also one of the most misunderstood. People think it means they can demand any business delete everything about them, no questions asked. Businesses think it means they have to wipe someone from existence the moment they ask.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Privacy regulations are complex and change frequently. You should consult a qualified attorney for guidance specific to your business. The information here is based on the GDPR (Regulation (EU) 2016/679), particularly Article 17, and related regulatory guidance, as of the date of publication.

Neither is accurate.

Article 17 of the GDPR creates a right to erasure that is real, enforceable, and important -- but it is also conditional. There are specific grounds on which someone can request erasure, and there are specific exceptions that allow businesses to say no. Understanding both sides is the key to handling these requests properly.

Article 17 in Plain English

Let us start with what the law actually says, translated from legal language into something useful.

Article 17(1) of the GDPR (Regulation (EU) 2016/679) states that an individual (GDPR calls them a "data subject") has the right to request the deletion of their personal data, and the organization holding that data (the "controller") must delete it "without undue delay" if one of several conditions applies.

"Without undue delay" has been interpreted by supervisory authorities and guidance -- consistent with the general timeline set out in GDPR Article 12(3) -- as meaning within one calendar month (30 days) from receiving the request. This can be extended by two additional months for complex or voluminous requests, but you must inform the individual of the extension within the first month.

Article 17(2) adds an important layer: if the controller has made the personal data public (published it online, for example), they must take "reasonable steps" to inform other controllers processing that data that the individual has requested erasure. This is the "right to be forgotten" aspect -- it extends beyond just your own systems to include a duty to notify others.

Article 17(3) sets out the exceptions -- situations where you can refuse an erasure request. More on these below.

The Six Grounds for Erasure

Under Article 17(1)(a)-(f), an individual can request erasure of their personal data if any of these six conditions is met:

1. The Data Is No Longer Necessary

The personal data was collected for a specific purpose, and that purpose has been fulfilled. There is no longer any reason to keep it.

Example: A customer bought a product from you two years ago and has no ongoing relationship with your business. Their browsing behavior data from that purchase is no longer necessary for the original purpose (completing the transaction).

In practice: This is the most common ground. If you are keeping data beyond its useful life with no legitimate reason, you should be deleting it proactively -- not waiting for someone to ask.

2. Consent Has Been Withdrawn

The individual originally gave consent for the processing, and they have now withdrawn that consent. If consent was your only lawful basis for processing, you must stop processing and, if the individual requests, delete the data.

Example: Someone signed up for your newsletter (consent-based processing). They unsubscribe and then ask you to delete the personal data you collected. If you have no other lawful basis for keeping it, you must comply.

Important nuance: Withdrawal of consent does not affect the lawfulness of processing done before the withdrawal. You do not need to "undo" things you did with the data when you had valid consent. But you must stop going forward and delete if requested.

3. The Individual Objects to the Processing

Under GDPR Article 21, individuals can object to processing based on legitimate interest or public task grounds. If they object, you must stop processing unless you can demonstrate "compelling legitimate grounds" that override the individual's interests. If you cannot demonstrate such grounds and the individual requests erasure, you must delete.

For processing related to direct marketing, the right to object is absolute. If someone objects to their data being used for marketing, you must stop and delete if they ask. No balancing test, no exceptions.

Example: A customer objects to you using their purchase history for personalized recommendations (legitimate interest processing). If you cannot demonstrate compelling grounds, you stop the processing. If they then ask you to delete the data, you comply.

4. The Data Was Unlawfully Processed

If the personal data was processed without a lawful basis -- you had no valid consent, no contract, no legitimate interest, no legal obligation, or other lawful basis -- the data was processed unlawfully and must be deleted on request.

Example: You collected personal data through a form on your website but had no privacy policy, no lawful basis identified, and no consent mechanism. A user requests erasure. You have no basis to refuse.

5. Legal Obligation Requires Deletion

A legal obligation under EU or member state law requires you to delete the data.

Example: A data retention law in a member state specifies that certain records must be deleted after a defined period. If that period has passed and someone requests erasure, the legal obligation ground applies.

6. Data Was Collected from a Child for Online Services

If the personal data was collected from a child in relation to the offer of "information society services" (essentially, online services), the right to erasure applies. This ground reflects the principle that children cannot fully understand the implications of data processing and deserve special protection.

Example: A child signed up for a social media platform or online game. They (or their parent) can request erasure of the data collected during their use of the service.

The Exceptions: When You Can Refuse

Article 17(3) of the GDPR provides specific exceptions where the right to erasure does not apply, even if one of the six grounds above is met. If one of these exceptions applies, you can refuse the erasure request.

Freedom of Expression and Information

You can refuse erasure if the processing is necessary for exercising the right to freedom of expression and information. This primarily protects journalism, academic work, and artistic expression.

Example: A newspaper published an article containing personal data about someone. That person requests erasure. The newspaper can refuse based on freedom of expression.

For most businesses: This exception rarely applies. You are not a newspaper. If a customer asks you to delete their data, you probably cannot invoke freedom of expression.

Legal Obligation

You can refuse erasure if you are legally required to retain the data. This is the most practically relevant exception for businesses.

Example: Tax law requires you to retain financial records (including personal data on invoices) for a specified period (typically 6-7 years in most EU countries). If a former customer requests erasure during that period, you can refuse to delete the financial records -- but you should still delete any other personal data that is not covered by the legal obligation.

Public Health

Processing is necessary for reasons of public interest in the area of public health. This covers situations like managing cross-border health threats or ensuring quality and safety standards for medicines and medical devices.

For most businesses: Not relevant unless you work in public health.

Archiving in the Public Interest, Scientific or Historical Research, or Statistical Purposes

You can refuse erasure if the data is being processed for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, and erasure would seriously impair the achievement of those objectives.

For most businesses: Not relevant unless you conduct genuine research. Your internal business analytics do not qualify.

Legal Claims

You can refuse erasure if the data is necessary for the establishment, exercise, or defense of legal claims.

Example: A customer has threatened to sue you. You can retain their personal data that is relevant to the potential litigation, even if they request erasure. But only the data relevant to the claim, and only for as long as the claim is live.

Practical tip: This exception is time-limited. Once the legal claim is resolved or the limitation period expires, you can no longer rely on it.

How the Right to Erasure Relates to DSARs

The right to erasure and data subject access requests (DSARs) are separate rights, but they often come together. It is common for someone to:

  1. Submit a DSAR to find out what data you hold about them
  2. Review the data
  3. Submit an erasure request for some or all of it

Sometimes both requests come in the same email: "Tell me what data you have about me and then delete it." Handle them as two separate requests with the same deadline.

The 30-day response window applies to both. If someone submits a DSAR and an erasure request simultaneously, you need to:

  • Provide the data (fulfilling the access request) within 30 days
  • Delete the data (fulfilling the erasure request) within 30 days

There is a logical tension here -- you need to provide the data before deleting it -- but the timelines are the same. The practical approach is to fulfill the access request first and then proceed with erasure, all within the 30-day window.

For more on the DSAR process specifically, see our DSAR Compliance Guide.

Practical Process for Handling Erasure Requests

Here is a step-by-step process for handling an erasure request in a small business:

Step 1: Receive and Log the Request

An erasure request can come in any form -- email, letter, phone call, social media message, web form. There is no required format. If someone says "delete my data," that is a valid request.

Log the request immediately:

  • Date received
  • Requester's name and contact details
  • What they are asking to have deleted (everything, or specific data)
  • How they submitted the request

Step 2: Verify Identity

Before deleting someone's data, you need to be reasonably confident that the person making the request is who they say they are. You do not want to delete a customer's account because an ex-partner or a competitor submitted a fraudulent request.

Proportionate verification means:

  • For authenticated users (they are logged into their account): The authentication itself is sufficient verification.
  • For email requests from a known email address: Matching the email to an account is usually sufficient for routine data.
  • For requests involving sensitive data or where identity is uncertain: Ask for additional verification (a copy of ID, answering security questions, etc.). Do not ask for more information than necessary.

If you need additional verification, ask for it promptly -- the 30-day clock starts when the request is received, not when you finish verification.

Step 3: Assess the Request

Determine:

  • Which ground applies? Review the six grounds above and identify which one (or more) the request falls under.
  • Does an exception apply? Check whether you have a legal obligation to retain some or all of the data, whether there are pending legal claims, or whether another exception is relevant.
  • What data is affected? Identify all personal data you hold about the individual across all systems.

Step 4: Take Action

If no exception applies: Delete the personal data from all systems. This includes:

  • Your primary database or application
  • CRM and marketing tools
  • Email (search for their name and email address)
  • Cloud storage (search for files containing their data)
  • Customer support systems
  • Analytics tools (where individual data is identifiable)
  • Any other system where their data exists

For each system, verify the deletion. Do not just click "delete" and assume it worked.

Regarding backups: As discussed, most businesses cannot selectively delete from backups. The accepted approach is to delete from all active systems, note that encrypted backups may contain the data until they cycle out, and ensure you do not restore the deleted data.

If an exception applies to some data: Delete what you can and retain what you must. Inform the individual about what was deleted and what was retained, including the reason for retention.

If the data was made public: Article 17(2) requires you to take "reasonable steps" to inform other controllers who are processing the data that the individual has requested erasure. What counts as "reasonable" depends on the circumstances and available technology. At minimum, notify third parties you have shared the data with directly.

Step 5: Respond to the Individual

Within 30 days of receiving the request:

  • If fully complied: Confirm that you have deleted their personal data. Briefly describe what was deleted and from which systems.
  • If partially complied: Explain which data was deleted and which was retained, and provide the specific legal basis for retention.
  • If refused: Explain clearly why the request was refused, citing the relevant exception under Article 17(3). Inform them of their right to complain to a supervisory authority and their right to seek a judicial remedy.

Always respond in writing (email is fine). Keep a record of the request and your response.

Step 6: Document Everything

Maintain a log of every erasure request you receive, including:

  • The request details
  • Your identity verification steps
  • Your assessment (grounds, exceptions)
  • Actions taken
  • Your response to the individual
  • Date of completion

This documentation protects you if a supervisory authority ever asks about your erasure practices.

Common Mistakes When Handling Erasure Requests

Treating Every Request as Absolute

The right to erasure is not absolute. You do not have to delete everything just because someone asks. Assess each request against the grounds and exceptions. Legitimate reasons to retain data (tax records, legal compliance, pending disputes) are perfectly valid.

Ignoring the Request Entirely

The other extreme is equally problematic. Ignoring an erasure request -- or taking months to respond -- is a compliance failure. Even if you plan to refuse the request, you must respond within 30 days with a clear explanation.

Deleting More Than Necessary

If an erasure request is for specific data, you only need to delete what was requested. If someone asks you to delete their marketing data, you do not need to delete their account and transaction history (though you should assess whether you still have a lawful basis for keeping the rest).

Forgetting Third Parties

If you have shared the individual's data with third parties, you have an obligation to inform them of the erasure request. Check your vendor list and notify relevant third parties.

Not Verifying Identity

Deleting data without verifying that the person making the request is the actual data subject can cause harm -- both to the person whose data is wrongly deleted and to your business.

The Right to Erasure vs. Data Retention

One of the biggest tensions in handling erasure requests is the conflict with data retention requirements. Here is how to think about it:

  • Legal retention requirements override erasure requests. If the law says you must keep tax records for 7 years, you keep them.
  • The override is limited to the specific data covered by the retention requirement. You can retain the invoice showing a transaction, but you should still delete marketing preferences, browsing history, and other data not covered by the retention obligation.
  • Document your retention periods. Having a clear data retention schedule makes it straightforward to explain what you are keeping and why.

Cross-Border Considerations

If your business operates in both the EU and the US, you may receive erasure requests under both GDPR and US state privacy laws. The core process is similar, but the legal details differ. For a full comparison, see our guide on the right to delete under CCPA vs the right to be forgotten under GDPR.

For US-specific considerations, including the growing patchwork of state deletion rights, see our guide on the right to be forgotten in the US.

References

Last reviewed: February 2026. Privacy laws change frequently. Verify all statutory references against the current text of the law and consult qualified legal counsel before making compliance decisions for your business.

Get the Free DSAR Response Templates

Handling erasure requests properly means having the right process and the right communication templates. Our free DSAR Response Template Pack includes templates for acknowledging erasure requests, confirming deletion, partially refusing requests, and documenting your process -- all designed for small businesses.

Download the free DSAR Response Templates