IAPP Training · Module 5 - BoK II.C

Module 5 · Erasure / right to be forgotten (Article 17)

Right to erasure (Article 17), also called the right to be forgotten, lets a data subject have their data deleted in defined cases - e.g. data no longer necessary, consent withdrawn, a successful objection, unlawful processing, or data collected when the person was a child. If the controller made the data public it must take reasonable steps to inform other controllers (Recital 66). Several exceptions in Article 17(3) protect free expression, legal obligations and more.

Under the right to erasure (Article 17) a data subject may request deletion when the data is no longer necessary; consent is withdrawn and there is no other basis; the person objects and there are no overriding grounds; processing was unlawful; erasure is required by EU/Member State law; or consent was given when the person was a child.

Data made public

If the controller made the data public, it must take reasonable steps to inform other controllers to erase links/copies (Recital 66). This is hard in practice - finding all recipients and freedom-of-expression objections complicate it.

Exceptions under Article 17(3): freedom of expression and information.
Compliance with a legal obligation / public-interest task / official authority.
Public health.
Archiving, research or statistics (where erasure would seriously impair it).
Establishment, exercise or defence of legal claims.

Key terms - quick answers

What is “Right to erasure”?

Article 17, the 'right to be forgotten': the right to have personal data deleted in defined circumstances.

What is “Right to be forgotten”?

The common name for the right to erasure under Article 17.

← Module 5 · Data portability (Article 20)Module 5 · Restriction of processing (Article 18) →