Right to erasure
The right to erasure (Art. 17 GDPR), also known as the right to be forgotten, obliges the controller to delete personal data without undue delay once a ground for erasure applies and no statutory exception overrides it.
The right to erasure is set out in Art. 17 GDPR and grants data subjects a claim to have their personal data deleted. The controller must erase the data without undue delay where one of the grounds in Art. 17(1) applies: for example, when the data are no longer necessary for the original purpose, when consent has been withdrawn and there is no other legal basis, when a justified objection under Art. 21 has been raised, when the data have been processed unlawfully, or when a legal obligation to erase exists. The popular term "right to be forgotten" stems from the CJEU ruling in Google Spain (C-131/12) and appears as the heading of Art. 17.
The claim is not unlimited. Art. 17(3) GDPR lists exceptions in which erasure may be withheld: for exercising the right to freedom of expression and information, to comply with a legal obligation or perform a task in the public interest, for reasons of public interest in the area of public health, for archiving, research or statistical purposes in the public interest, and for the establishment, exercise or defence of legal claims. In practice, statutory retention periods under commercial and tax law (in Germany, typically six to ten years) are especially relevant: while these periods run, processing is usually restricted under Art. 18 rather than the data being deleted.
A central obligation arises from Art. 17(2) GDPR: where the controller has made the data public, it must take reasonable steps, taking account of available technology and the cost of implementation, to inform other controllers processing the data of the erasure request (the duty to forward the request). It also follows that processors (Art. 28) and recipients (Art. 19) must be notified of erasures. Deletion must take place "without undue delay"; the deadline to respond to the data subject follows Art. 12(3) GDPR (generally one month). A documented deletion concept with defined retention periods is the key to demonstrably meeting these obligations.
Legal Basis
Art. 17 GDPR (esp. para. 1 grounds for erasure, para. 2 duty to forward the request, para. 3 exceptions); supported by Art. 12(3), Art. 18, Art. 19 and Art. 21 GDPR
Practical Example
A former customer emails an online shop demanding the deletion of all their data. The data protection coordinator checks the applicable grounds for erasure: the contractual relationship has ended and consent for the newsletter has been withdrawn, so the marketing profile is deleted immediately. The invoicing and accounting records, however, are subject to the ten-year tax retention obligation; processing is therefore restricted (blocked) under Art. 18 and the records are only erased once the period expires. The company then informs the contracted email service provider as a processor about the deletion and documents the entire process, including the justification, in the record of processing activities and the deletion log, in order to meet its accountability obligation and observe the one-month deadline towards the data subject.