What Is a Right to Be Forgotten?

The right to be forgotten, formally known as the right to erasure under Article 17 of the GDPR, allows individuals to request that an organization delete their personal data under certain circumstances. This right gained prominence following the landmark 2014 Court of Justice of the European Union (CJEU) ruling in Google Spain v. AEPD, where the court held that individuals have the right to request that search engines remove links to web pages containing outdated or irrelevant personal information about them. The GDPR codified and expanded this right, making it one of the most significant and widely discussed data subject rights in modern privacy law.

Under the GDPR, an individual can request erasure of their personal data in several specific situations: when the data is no longer necessary for the purpose for which it was collected; when the individual withdraws the consent on which the processing was based and there is no other legal basis; when the individual objects to the processing and there are no overriding legitimate grounds; when the data has been unlawfully processed; when erasure is required to comply with a legal obligation; or when the data was collected in relation to the offer of information society services to a child. Upon receiving a valid erasure request, the controller must delete the data without undue delay and, in any case, within one month.

The right to be forgotten is not absolute. The GDPR provides several exceptions where a controller may refuse an erasure request. These include situations where the data is necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest in the area of public health, for archiving purposes in the public interest or scientific and historical research, or for the establishment, exercise, or defense of legal claims. For example, a bank cannot be required to delete transaction records that it is legally obligated to retain for anti-money laundering purposes, even if the customer closes their account and requests full data deletion.

When a controller has made personal data public and is obligated to erase it, the controller must take reasonable steps to inform other controllers who are processing that data about the erasure request. This is particularly relevant for search engines and social media platforms. In practice, implementing the right to be forgotten requires organizations to have robust data mapping, clear data retention policies, and efficient processes for handling erasure requests. Organizations must also ensure that data is deleted from backups and archives within a reasonable timeframe, and that processors and sub-processors are instructed to delete the data as well. The right to be forgotten has become a cornerstone of individuals' digital privacy, with Google alone processing millions of URL removal requests since the original 2014 ruling.