GDPR Article 17 — the right to erasure — is one of the most significant and most misunderstood rights in European data protection law. It is frequently presented as an absolute right to delete any data about you from the internet. It is not. It is a conditional right that applies in specific circumstances and is subject to important exceptions. This guide explains when erasure applies, when it does not, and how to enforce it effectively.
When the Right to Erasure Applies
GDPR Article 17 provides the right to erasure in six specific situations:
- The data is no longer necessary: The organisation originally had a legitimate reason to collect or process your data, but that reason no longer exists. The data has become redundant to its original purpose.
- You withdraw consent: Where processing was based on your consent and you withdraw it — and there is no other legal basis for processing.
- You object to processing: Where you have objected to processing based on legitimate interests (Article 21) and the controller cannot demonstrate overriding legitimate grounds.
- The processing was unlawful: The organisation never had a valid legal basis for processing your data in the first place.
- Legal obligation requires erasure: A legal obligation — under EU or member state law — requires the data to be deleted.
- Data relates to a child: Data collected in connection with information society services offered to a child under 16 (or lower age of consent under member state law).
When Erasure Does Not Apply
Article 17(3) sets out the circumstances where erasure can be refused even when one of the above grounds applies:
- Freedom of expression: Processing necessary for exercising the right of freedom of expression and information — typically journalism, academic research, or public interest publishing. A news article about a public figure’s public conduct is the clearest example.
- Legal obligation: Processing required by EU or member state law — for example, statutory record-keeping requirements for financial institutions.
- Public health or archiving: Processing necessary for public health purposes or for archiving, scientific research, or statistical purposes in the public interest.
- Legal claims: Processing necessary for the establishment, exercise, or defence of legal claims — where the data is relevant to ongoing or anticipated proceedings.
Erasure from Compliance Databases
Compliance screening databases — World-Check, LexisNexis Risk Solutions, Dow Jones Risk and Compliance — frequently argue that processing is necessary for the performance of a public interest task (AML compliance) and therefore falls within the Article 17(3) exception. This argument has limits: the exception applies to the task, not to indefinite retention of data that is no longer accurate or proportionate to the risk being managed.
A well-framed erasure demand challenges both the ground for refusal and the proportionality of continued retention — demonstrating that the specific data in question is no longer serving the legitimate purpose claimed by the database operator. This is where legal framing matters significantly: a bare erasure request citing Article 17 will receive a form response invoking Article 17(3); a legal demand addressing the specific facts and the proportionality argument requires a substantive legal response.
Erasure from Media and Search Engines
The Google Spain case (2014) established that search engines process personal data and are subject to erasure obligations for search results about individuals where the results are outdated, inaccurate, or disproportionate. This is the legal basis for “right to be forgotten” requests to Google and other search engines in EU jurisdictions.
Media organisations can also be required to erase personal data where continued publication is no longer justified — though the freedom of expression exception applies more strongly here than with databases. Historical articles about resolved legal matters, dropped charges, or outdated information are the most viable targets for press erasure under GDPR.
How to Make an Effective Erasure Request
- Identify the specific data you want erased and the specific controller holding it.
- Identify which Article 17 ground applies to your situation.
- Submit a formal written request citing Article 17, the specific ground, and the specific data.
- The controller must respond within one calendar month. If the response is a refusal, they must state the specific reason.
- If the refusal is unjustified, escalate to the relevant supervisory authority (ICO, CNIL, BfDI, etc.) and/or consider civil proceedings under Article 82.
For specialist legal help with erasure from compliance databases, see GDPR data erasure lawyer. For search engine delisting, see right to be forgotten lawyer. For compliance database disputes, see LexisNexis right to erasure and World-Check removal.