Article 17 of GDPR: Right to be forgotten
Article 17 of GDPR provides for an important right to individuals: the right to have their personal data erased, the right to erasure, or the right to be forgotten.
Right to be forgotten (Article 17(1) GDPR)
An individual, pursuant to Article 17(1) of GDPR, has the right to compel a company to erase personal data they may have about him or her.
When the right to erasure is requested, the company must erase the data without undue delay.
A company has an obligation to erase the personal data when one of the following conditions apply:
- The person’s data is no longer necessary for the purpose it was initially collected (Article 17(1)(a) GDPR)
- When the data subject withdraws their consent and where the company has no other legal basis to process the data (Article 17(1)(b) GDPR)
- When a person objects to the processing of their personal data and the company does not have any overriding legitimate purpose to continue the data processing or a person objects to the processing of personal data for direct marketing purposes (Article 17(1)(c) GDPR)
- The person’s data was processed unlawfully (Article 17(1)(d) GDPR)
- When the company must erase the personal data to comply with its legal obligations (Article 17(1)(e) GDPR)
- When the personal data was collected in relation to an offer of information society services (Article 17(1)(f) GDPR)
Right to be forgotten when personal data was made public (Article 17(2) GDPR)
When a person requests that their personal data be erased and the company had made the person’s information public, the organization must take reasonable measures to get any other company processing the personal data to erase the personal data as well by removing any links or copy of replication.
This obligation should take into consideration the available technology and cost of implementation of such measure.
Exception to the right to be forgotten (Article 17(3) GDPR)
In certain cases, the right to be forgotten or right to erasure will not apply.
The right to be forgotten does not apply to the extent data processing is necessary for the following reasons:
- For the exercise of the right of freedom of expression and information (Article 17(3)(a) GDPR)
- When a company must comply with a legal obligation, must perform a task in the interest of the public or in the exercise of an official authority given to the controller (Article 17(3)(b) GDPR)
- For the reason of public interest relating to the public health (Article 17(3)(c) GDPR)
- For the purpose of public interest, archiving, scientific and historical research to the extent that the right to erasure is likely to make the objective impossible or significantly affect it (Article 17(3)(d) GDPR)
- For the purpose of exercising a legal claim or defence (Article 17(3)(d) GDPR)
Recitals applicable to Article 17 of GDPR
Relevant Recitals: 65, 66
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 17 or relevant recitals
GDPR Text: Article 17 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)