Log in

← Back to Glossary

Right to erasure (right to be forgotten) under GDPR: Deleting personal data upon request

The right to erasure, also known as the right to be forgotten, is a data subject right under the General Data Protection Regulation (GDPR). It allows individuals to request the deletion or removal of their personal data when there is no compelling reason for continued processing.

This right helps protect privacy, ensuring that personal data is not retained longer than necessary unless legal or legitimate reasons justify its retention.

When does the right to erasure apply?

A data subject can request erasure if:

  • The data is no longer necessary for its original purpose.
  • Consent is withdrawn, and no other legal basis exists.
  • The individual objects to processing, and no overriding legitimate grounds exist.
  • The data was unlawfully processed in violation of GDPR.
  • Erasure is required for legal compliance under EU or national law.

When can an organization refuse an erasure request?

There are exceptions where data may not be erased, including:

  • Compliance with a legal obligation (e.g., tax or financial regulations).
  • Public interest in public health, research, or statistical purposes.
  • Exercise or defense of legal claims.

Try RESPONSUM for free

Set up your personalized environment and see how RESPONSUM’s powerful features simplify your compliance workflows. Our experts are here to guide you every step of the way.

Try for free
G2 badge fall 2024 easiest to do business with
G2 badge fall 2024 best support
G2 badge fall 2024 high performer
G2 badge fall 2024 high performer Europe
G2 badge fall 2024 high performer EMEA

How to process a right to erasure request under GDPR

1. Verify and document the request

  • Confirm the identity of the requester before deleting data.
  • Assess whether legal grounds for refusal apply.

2. Delete personal data securely

  • Permanently remove all relevant personal data from systems and backups.
  • Inform third parties with whom the data was shared, if applicable.

3. Respond within GDPR’s time limits

  • Process erasure requests within one month, with a two-month extension for complex cases.
  • Provide confirmation of deletion or a justified refusal if applicable.

Book a demo to see RESPONSUM in action

Book your free demo and discover how RESPONSUM fits your needs. Get expert insights, a live platform walkthrough, and personalized tips to boost your compliance strategy.

Book a demo

Why the right to be forgotten is essential for data protection

Respecting the right to erasure helps organizations:

  • Ensure GDPR compliance by honoring data subject rights.
  • Reduce data storage risks by removing unnecessary personal data.
  • Build trust with customers by demonstrating privacy commitment.
  • Minimize legal risks by preventing unauthorized data retention.

By properly handling erasure requests, businesses can strengthen data protection, improve transparency, and ensure responsible data management.

Try for free