9.2 The Right to Erasure

The idea that you could ask a company — or even a search engine — to delete information about you once seemed radical. Today it is a fundamental legal right in much of the world. The right to erasure, often called the "right to be forgotten," puts you in the position of being able to demand deletion of your personal data under defined circumstances.

The legal basis: GDPR Art. 17

GDPR Article 17 requires a controller to erase personal data without undue delay when one of several grounds applies: the data is no longer necessary for the purpose for which it was collected; you withdraw consent and there is no other legal basis for processing; you object to processing for legitimate interests and there are no overriding grounds; the data has been unlawfully processed; erasure is required to comply with a legal obligation; or the data was collected in relation to the offer of information society services to a child.

The California Consumer Privacy Act (CCPA) similarly provides a right to delete personal information, requiring businesses and their service providers to delete data upon a verified consumer request — subject to analogous exceptions.

When erasure can be refused

The right is not absolute. GDPR Art. 17(3) lists grounds on which controllers may refuse: exercising the right of freedom of expression and information; compliance with a legal obligation requiring processing; reasons of public interest in the area of public health; archiving, research, or statistical purposes in the public interest; or the establishment, exercise, or defence of legal claims. In practice, banks often cannot erase your transaction data during regulatory retention periods; health records may be retained under national health law; and court records generally cannot be erased on request.

The landmark case: Google Spain v. AEPD (CJEU, 2014)

The most consequential test of the right to erasure came from a Spanish man, Mario Costeja González, who objected to Google search results linking his name to a 1998 newspaper notice about a debt auction — a matter long since resolved. The Court of Justice of the European Union (CJEU) ruled that search engines qualify as data controllers, and that individuals have the right to request de-listing of search results even when the underlying source page is lawful. The right to de-listing from search engines was born. Google has since received over 5 million removal requests from Europeans (Google Transparency Report, 2023).

How to request erasure in practice

Contact the organisation's DPO or privacy team in writing, specifying that you are exercising your right under GDPR Art. 17 (or equivalent law), identifying the data concerned, and stating the applicable ground. The controller must respond within one month. If refused, they must explain why. Your escalation options — DPA complaint, noyb tool, court — are covered in Lesson 9.4.

Your takeaway

The right to erasure is powerful but bounded. Know when it applies and when it dös not. For outdated, embarrassing, or unlawfully processed data — it is one of the most effective tools in your privacy toolkit.