The “right to be forgotten” is the GDPR right people know by name — and the one most often misunderstood as an absolute power to demand deletion. In reality it is a carefully bounded right with clear grounds and important exemptions, and handling it well is a frequently tested part of GDPR compliance.
This guide explains where the right comes from, when it applies, the exemptions, and exactly how to handle an erasure request from start to finish.
What the right to be forgotten is
The right to be forgotten — formally the right to erasure under Article 17 — lets individuals ask you to delete their personal data in certain circumstances. It is one of GDPR’s most powerful rights, and one of the most misunderstood.
The key thing to grasp at the outset is that it is not absolute. People can request erasure, but you are only obliged to comply when one of the specified grounds applies and no exemption overrides it.
Where the right came from
The concept gained prominence through a 2014 European court ruling (the so-called Google Spain case), which established that individuals could, in some cases, require search engines to remove links to information about them. GDPR later codified a broader right to erasure that applies to all controllers, not just search engines.
That history is why the right is popularly called “the right to be forgotten”, even though the legal term is erasure.
Free resource
The Ultimate Guide to GDPR
Handle erasure requests confidently with a clear, defensible process.
When the right applies
Article 17 sets out specific grounds. You must erase data when: it is no longer necessary for the purpose; the person withdraws consent and there is no other basis; they object and there is no overriding legitimate ground; the data was unlawfully processed; erasure is needed to meet a legal obligation; or the data was collected from a child for online services.
If none of these grounds applies, you are generally not required to erase the data — though you must still respond to the request.
The exemptions
Even where a ground applies, Article 17(3) provides exemptions. You can refuse erasure where the processing is necessary for freedom of expression and information, to comply with a legal obligation, for reasons of public health, for archiving, research or statistics in the public interest, or to establish, exercise or defend legal claims.
These exemptions are why a blanket “delete everything about me” demand cannot always be honoured — some data you are legally required, or legally entitled, to keep.
It is a balancing exercise
Handling an erasure request is therefore a structured assessment, not an automatic delete. You weigh the ground the person relies on against any applicable exemption, and reach a reasoned decision.
Where you decide to refuse, you must tell the person why, inform them of their right to complain to a regulator and to seek a judicial remedy, and do so within the usual time limit.
The one-month deadline
Like other rights requests, you must respond to an erasure request without undue delay and within one month. You can extend by two months for complex cases, provided you inform the person within the first month and explain the reason.
Tracking the deadline is important: an erasure request ignored or missed is a clear and easily evidenced breach.
Telling other recipients
If you have shared the data with others, erasure may need to ripple outward. Where you have made the data public, you must take reasonable steps — accounting for available technology and cost — to inform other controllers processing it that the person has requested erasure of links to or copies of it.
And where you have disclosed data to recipients, you should generally notify them of the erasure unless it proves impossible or disproportionate.
Erasure and backups
A practical wrinkle is backups. Deleting data from live systems may leave copies in backups for a time. GDPR accepts this, provided the backup data is securely isolated, not used for live processing, and cycled out in line with your backup retention.
Be transparent about this with the requester, and ensure that restoring a backup does not silently reinstate data you were required to erase.
Verifying identity
Before deleting anything, verify the requester’s identity with proportionate checks. Erasure is irreversible, so acting on a fraudulent or mistaken request can cause real harm — deleting the wrong person’s data, or destroying records someone is not entitled to remove.
Balance this against not making the process unreasonably burdensome for genuine requesters.
Common scenarios
Typical valid requests include a customer closing an account and asking you to delete their data once you no longer need it, or someone withdrawing marketing consent and asking to be removed. Typical refusals include requests to delete data you must retain for tax or employment law, or to erase records you need to defend a live legal claim.
Most requests fall clearly into one camp or the other once you apply the grounds and exemptions.
Building an erasure process
A reliable process has clear steps: receive and log the request, verify identity, locate all the person’s data across your systems, assess the grounds and exemptions, delete or refuse with reasons, notify recipients where required, and record what you did.
The hardest part is usually finding all the data, which is why a good data inventory pays off directly when erasure requests arrive.
Don’t forget to document
For every erasure request, keep a record of the decision and the reasoning — especially where you refused or relied on an exemption. This is your evidence under the accountability principle if the person complains or a regulator asks.
Good documentation turns a contentious refusal into a defensible, well-reasoned decision.
How ISpectra helps
Handling erasure requests confidently — knowing when to comply and when you may refuse — is a hallmark of mature GDPR compliance. ISpectra Technologies helps organisations build erasure workflows, map where personal data lives so it can actually be found and deleted, and document decisions so they stand up to scrutiny.
If erasure requests currently cause panic, a short review will give you a repeatable, defensible process.
In one paragraph
The right to be forgotten (erasure, Article 17) lets people ask you to delete their data when one of six grounds applies — such as the data no longer being needed or consent being withdrawn — but it is not absolute. Exemptions let you refuse where you must keep data for legal obligations, legal claims, freedom of expression, or public-interest archiving and research. Treat each request as a structured assessment: verify identity, weigh grounds against exemptions, act within one month, ripple the deletion to recipients and backups appropriately, and document your decision — whether you erase the data or explain why you cannot.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Erasure is easier when you plan ahead
Organisations that struggle with erasure usually have the same underlying problem: they do not know where all of a person’s data lives. Copies are scattered across databases, spreadsheets, SaaS tools, email and backups, so a single “delete me” request becomes a frantic hunt. The fix is upstream — a current data inventory and data map that records every system holding personal data.
The same preparation that supports erasure also supports access requests, retention and breach response, so it is rarely wasted effort. Designing systems so that a person’s records can be located and removed cleanly — rather than being duplicated endlessly — turns erasure from a recurring crisis into a button you can confidently press, and is a direct expression of the privacy-by-design mindset GDPR expects.