Right to Be Forgotten
What is Right to Be Forgotten?
Right to Be ForgottenThe right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.
The right to be forgotten, also called the right to erasure, is set out in GDPR Article 17 and originates in the 2014 Google Spain ruling (C-131/12). A controller must delete personal data when it is no longer necessary, consent is withdrawn, processing is unlawful, the data subject objects without overriding grounds, or there is a legal obligation. Exceptions cover freedom of expression, legal obligations, public interest, public health, archiving, and the defense of legal claims. Controllers must also inform recipients and, where data was made public, take reasonable steps to notify other controllers. Implementation requires data mapping, deletion workflows across databases, backups, logs, AI training data, and search-engine de-listing.
● Examples
- 01
A user requests removal from a marketing CRM after withdrawing consent for newsletters.
- 02
A search engine de-lists outdated, irrelevant news articles about a private individual.
● Frequently asked questions
What is Right to Be Forgotten?
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17. It belongs to the Privacy & Data Protection category of cybersecurity.
What does Right to Be Forgotten mean?
The right of an individual to obtain the erasure of personal data concerning them when there is no overriding legal reason to keep processing it, under GDPR Article 17.
How does Right to Be Forgotten work?
The right to be forgotten, also called the right to erasure, is set out in GDPR Article 17 and originates in the 2014 Google Spain ruling (C-131/12). A controller must delete personal data when it is no longer necessary, consent is withdrawn, processing is unlawful, the data subject objects without overriding grounds, or there is a legal obligation. Exceptions cover freedom of expression, legal obligations, public interest, public health, archiving, and the defense of legal claims. Controllers must also inform recipients and, where data was made public, take reasonable steps to notify other controllers. Implementation requires data mapping, deletion workflows across databases, backups, logs, AI training data, and search-engine de-listing.
How do you defend against Right to Be Forgotten?
Defences for Right to Be Forgotten typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Right to Be Forgotten?
Common alternative names include: Right to Erasure, Article 17 Right.
● Related terms
- privacy№ 286
Data Subject Access Request (DSAR)
A formal request from an individual to a controller asking which of their personal data is being processed and obtaining a copy of it, as guaranteed by GDPR Article 15 and similar laws.
- compliance№ 440
GDPR
The European Union's General Data Protection Regulation governing the processing of personal data of individuals in the EU and EEA.
- privacy№ 210
Consent Management
The processes and tooling used to collect, record, refresh, and honor user permissions for processing personal data and setting cookies, in line with privacy law.
- privacy№ 284
Data Retention
The policies and controls that define how long different categories of data are kept and when they are securely deleted, archived, or anonymized.
- privacy№ 280
Data Minimization
A privacy principle requiring organizations to collect, process, and retain only the personal data that is strictly necessary for a defined, lawful purpose.
- privacy№ 856
Privacy by Design
An engineering and governance approach that embeds privacy considerations into systems, processes, and defaults from the earliest design stages rather than bolting them on later.