The Right to Be Forgotten — Article 17 GDPR in Practice

The right to erasure — commonly known as the right to be forgotten — is one of the most well-known and simultaneously most frequently misunderstood rights under the GDPR. Many individuals believe they can demand the deletion of their data in any situation, and the controller must comply immediately. Conversely, many companies refuse deletion requests without justification or simply do not know how to properly handle them.

The truth lies in between — Article 17 GDPR grants individuals the right to erasure, but this right is not absolute. The controller may — and in some cases must — refuse. The key is understanding when a request is justified and when the controller has grounds for refusal.

This article explains how to properly handle the right to erasure — from both the data subject’s and the controller’s perspectives, with references to UODO decisions, CJEU case law, and EDPB guidelines.

Legal Basis — Article 17 GDPR

Article 17(1) GDPR provides that the data subject shall have the right to obtain from the controller the erasure of personal data concerning them without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) Data no longer necessary — the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed. Example: a company collected customer data to fulfil an order. The order has been fulfilled, the complaint period has elapsed, and tax documents have been archived — the customer’s contact data is no longer needed.

b) Withdrawal of consent — the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing. Example: a customer withdraws newsletter consent. If the email address is not processed on any other basis, it must be deleted.

c) Objection to processing — the data subject has successfully objected under Article 21(1) GDPR (objection to processing based on legitimate interest or public interest), and there are no overriding legitimate grounds for processing. Or the data subject has objected to processing for direct marketing purposes (Article 21(2)) — this objection is absolute.

d) Unlawful processing — the personal data have been unlawfully processed. Example: a company processed data without any legal basis under Article 6 GDPR.

e) Legal obligation — the personal data have to be erased to comply with a legal obligation under EU or Member State law.

f) Child’s data — the personal data have been collected in relation to the offer of information society services directly to a child (Article 8(1) GDPR). This ground reflects the special protection of children in the digital environment.

When the Controller MAY Refuse — Article 17(3) Exceptions

Article 17(3) GDPR provides a closed catalogue of situations in which the controller may refuse erasure:

a) Freedom of expression and information — processing is necessary for exercising the right of freedom of expression and information. This primarily concerns media and journalists — an editorial office does not have to remove an article containing personal data if the publication serves public debate. However, this exception has limitations — not every publication automatically qualifies under freedom of expression.

b) Legal obligation — processing is necessary for compliance with a legal obligation. This is the most commonly applied exception. Examples: tax documentation (tax law requires 5-year retention), medical records (Patient Rights Act — 20 years), employee personnel files (Labour Code — 10 or 50 years), AML documentation (Anti-Money Laundering Act — 5 years).

c) Public interest in public health — e.g., epidemic monitoring, medicinal product safety.

d) Archiving, research, statistical purposes — processing is necessary for archiving in the public interest, scientific research, or statistical purposes, and erasure would render impossible or seriously impair the achievement of those purposes.

e) Establishment, exercise, or defence of legal claims — the controller may retain data needed to defend against claims or pursue its own. Example: a customer requests data deletion, but there is an ongoing legal dispute with that customer. The controller may refuse erasure until the dispute is resolved.

The Right to Be Forgotten and Search Engines — Google Spain

The right to be forgotten gained prominence through the landmark CJEU ruling in Google Spain (C-131/12, 2014). The Court held that a search engine operator is a data controller and must comply with requests to remove links to pages containing personal data — if the information is inadequate, irrelevant, or excessive in relation to the processing purposes.

What the ruling means in practice:

An individual may submit a request to Google (or another search engine) to remove a link that appears when their name is searched. Google does not remove the source page — it only removes the link from search results.

Google must conduct a balancing test — whether the individual’s right to privacy overrides the public’s right to information. For public figures (politicians, businesspeople, celebrities), the right to information more often prevails.

In Case C-507/17 (Google v. CNIL, 2019), the CJEU clarified that the obligation to delist links applies in principle to European versions of the search engine (google.pl, google.de, etc.), not global versions — although the controller must take measures to discourage circumvention of geo-blocking.

How to Properly Handle an Erasure Request — Step-by-Step Procedure

Step 1: Identify the Request

An erasure request does not need to follow a specific form — it may be submitted by email, in writing, orally, or through a website form. The controller must recognise that it is an Article 17 GDPR request, even if the individual does not expressly cite that provision. The sentence “I want you to delete my data” is an Article 17 request.

Step 2: Verify Identity

The controller must be confident that the request comes from the data subject — not from a third party impersonating them. Verification should be proportionate — the controller cannot demand more data than necessary to confirm identity.

In practice: if the request comes from an email address in the database, that is usually sufficient proof. If it comes from an unknown address, additional confirmation may be requested (e.g., providing identifying information held in the database).

Step 3: Assess Whether the Request Is Justified

Check whether at least one of the grounds in Article 17(1) applies (data no longer necessary, consent withdrawal, objection, unlawful processing, etc.).

Then check whether an exception under Article 17(3) applies (legal obligation, freedom of expression, legal claims, etc.).

If the request is justified and no exception applies — you must delete the data.

If an exception applies — you may refuse, but you must inform the individual of the reason for refusal and their right to lodge a complaint with UODO.

Step 4: Determine the Scope of Erasure

The request may concern all data or only part of it. Moreover, even if the request is justified in relation to one processing purpose, data may still be processed on a different basis for a different purpose.

Example: an online shop customer requests “deletion of all data.” The shop must delete the user account and login data, behavioural data (browsing history, cookies), and marketing data (newsletter, profiling). But it may retain invoice and accounting data (5 years — tax obligation), data needed for handling complaints (until the warranty/guarantee period expires), and data needed to defend against claims (6 years — general limitation period).

Step 5: Execute the Erasure

Erasure must be actual — merely “deactivating” an account or “hiding” data is not sufficient. Data must be permanently deleted from all systems, backups (within a reasonable timeframe — the EDPB accepts deletion from backups at the next overwrite cycle), and storage media.

If data has been disclosed to other entities (e.g., processors, sub-processors), the controller must inform them of the erasure request (Article 17(2) GDPR — the “right to be forgotten” in the strict sense). The controller must take reasonable steps to inform processors, taking into account available technology and the cost of implementation.

Step 6: Respond to the Individual

The controller must inform the individual of the actions taken without undue delay, and no later than one month from receiving the request (Article 12(3) GDPR). The deadline may be extended by 2 months for complex requests — but the controller must inform the individual of the extension within the first month.

The response should include: information about the data deleted (scope), information about data not deleted (with justification — e.g., “invoice data is retained under a tax obligation”), and guidance on the right to lodge a complaint with UODO.

Step 7: Document

Document the entire process: the date the request was received, the identity verification method, the analysis of grounds and exceptions, the decision taken, the date and scope of erasure, and the response sent to the individual. Documentation is essential in the event of a UODO audit or a complaint.

Right to Erasure in Specific Scenarios

Online Shop

A customer requests account and data deletion. The shop must delete the user account and login data, behavioural data, and marketing data. The shop may retain invoice and accounting data (5 years — tax obligation), data needed for complaint handling, and data needed to defend against claims (6 years — limitation period).

Employer / HR

A former employee requests data deletion. The employer must delete data beyond legal obligations (e.g., photo from the company website, benefits system data). The employer may retain personnel files (10 years — for employees hired from 2019), tax and social insurance documentation (5 years), and documents needed to defend against employment claims.

A candidate after an unsuccessful recruitment requests data deletion. The employer must delete data promptly — unless the candidate consented to processing for future recruitment (then for the period specified in the consent).

Healthcare Provider

A patient requests deletion of medical data. The provider refuses — medical records must be retained for 20 years. Basis for refusal: Article 17(3)(b) GDPR (legal obligation). The patient may request deletion of data beyond medical records (e.g., marketing data, loyalty programme data).

Search Engine

An individual requests link removal from search results (Google, Bing). The search engine must conduct a balancing test: right to privacy vs. public’s right to information. Public figures have a lower chance of link removal. Information concerning crimes, corruption, or public safety threats will be harder to remove.

Erasure vs Anonymisation

An alternative to erasure may be anonymisation — transforming data so that identification of the individual is no longer possible. Anonymised data is not personal data under the GDPR and may be freely stored and processed.

Anonymisation must be irreversible — if the data can be re-linked to an individual (e.g., through cross-referencing with other datasets), it is pseudonymisation, not anonymisation, and remains subject to the GDPR.

In practice, anonymisation is used when the controller wants to retain data for statistical or analytical purposes but no longer needs identifying information.

Most Common Erasure Mistakes

Automatic refusal — the controller refuses every request without analysis, citing “legal requirements” generically without identifying the specific provision.

Ignoring the request — the controller does not respond. Failure to respond within 1 month is a GDPR violation.

Token erasure — the controller “deactivates” the account, but data remains in the system. Erasure must be actual.

Excessive erasure — the controller deletes all data, including data it is legally required to retain (e.g., invoices). This may violate tax regulations.

No information about partial refusal — the controller deletes some data but does not inform the individual which data was retained and why.

No processor notification — the controller deletes data internally but does not inform processors (hosting, CRM, mailing) about the need to delete.

No documentation — the controller does not document the process, making it difficult to demonstrate compliance during a UODO audit.

Fines for Violating the Right to Erasure

Article 17 is subject to fines under Article 83(5) — up to EUR 20 million or 4% of annual global turnover. This is the highest tier of fines under the GDPR — the same as for violations of processing principles or data subject rights.

European supervisory authorities have imposed fines for violations of the right to erasure — including failure to delete data after consent withdrawal, excessive retention without a legal basis, and failure to respond to data subject requests.

Checklist — Handling Data Erasure Requests

1. Implement a procedure for handling erasure requests — who receives, assesses, and executes them?
2. Train staff — particularly customer service, HR, and IT — how to recognise an Article 17 request.
3. Verify the individual’s identity — proportionately, without collecting excessive data.
4. Assess the grounds under Article 17(1) — is the request justified?
5. Check the exceptions under Article 17(3) — do you have grounds for (partial) refusal?
6. Determine the scope of erasure — which data to delete, which to retain (and on what basis).
7. Delete data actually — from all systems, databases, and backups.
8. Notify processors — of the need to delete data from their systems.
9. Respond within 1 month — with information about the scope of erasure and any refusal with justification.
10. Document the entire process — in case of a UODO audit or complaint.
11. Inform about the right to complain to UODO — particularly in cases of refusal.
12. Regularly review data — proactively delete data whose retention period has expired, without waiting for requests.

Need Help With Data Erasure Requests?

Properly handling erasure requests requires a case-by-case legal analysis — assessing grounds, exceptions, the scope of erasure, and retention obligations. Mistakes can result in both a UODO fine (for failure to delete) and violations of other regulations (for excessive deletion of legally required documentation).

At the Law Office of Dr Joanna Maniszewska-Ejsmont, we help companies implement data subject rights procedures — including the right to erasure — tailored to the organisation’s specifics and sector.