GDPR: Right to Be Forgotten

Nathan Rizzuti Profile image

Written by:

Updated January 5, 2023

The internet age ushered in an entirely new frontier for what identity protection means. While creating a formal system of laws protecting online identity took time, the EU’s General Data Protection Regulations was a massive step towards defending consumer privacy. There are formal laws guaranteeing internet users certain rights; our mission is to help you understand them and further protect yourself while online. Below, we’ll discuss the GDPR right to be forgotten. We’ll explain what it is, how it helps protect you, and in what cases it doesn’t apply.


  • The GDPR right to be forgotten is a protection law allowing users to request their data be removed from organizational data banks.
  • The GDPR outlines specific examples of when and how data subjects may submit requests to have their data erased.
  • If an organization has the data legally and remains relevant to its legal basis, it will not be forced to remove a subject’s data.

For more information on consumer privacy, feel free to check out our additional reads on the GDPR’s definition of sensitive personal information as opposed to the GDPR’s definition of personal information. Lastly, we have a great article explaining how to disable cookies on your computer.

Insider Tip

Before submitting a request to exercise the right to be forgotten, read through Article 17 to ensure your proposal falls under the provided stipulations.

GDPR and the Right to Be Forgotten

In the GDPR, details regarding the legal obligation to the right to be forgotten (also known as the “right to erasure”) appear in Article 17. Article 17 states:

“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have an obligation to erase personal data without undue delay where one of the following grounds applies:”

So what does this mean? First, the right to request for erasure allows users a level of protection to request that their data no longer be kept by the organization that collected it.

Article 17 also lists a handful of circumstances under which the right to be forgotten applies. These circumstances include:

  • When a user’s data is no longer needed for the reason for which it was collected, even if they established an additional legal basis (Article 17)
  • If a user decides to withdraw their data and the company has no other legal basis for processing it (Article 1 17)
  • If a company unlawfully processes a user’s data (Article 17)
  • If a user does not want their data used for direct marketing (Article 17)

There are also questions surrounding the language of “undue delay” and its meaning. In essence, undue delay guarantees a quick decision upon requesting that a company delete its data. Usually, this takes about a month, but there’s no set period of time.


If you are a celebrity, public official, or media member, getting data removed under the GDPRs right to be forgotten articles will be more challenging.

Cases Where the Right to Erasure Doesn’t Apply

It’s important to remember that there are also cases where the GDPR doesn’t apply. It’s hard to give clear lines, but as long as the request doesn’t fall within the parameters listed above, a user may not be able to get their data removed.

STAT: In 2020, Google refused to adhere to the GDPR right-to-be-forgotten laws, resulting in a fine of 600,000 Euros. (source)

GDPR Right to Be Forgotten FAQs

Does the GDPR apply to citizens outside of the EU?

The GDPR deals explicitly with citizens living in EU countries. However, many other countries have laws similar to the GDPR guaranteeing similar rights.

How do you submit a request to have data removed under the GDPR?

The request is made either in written or verbal form and has to be submitted to a member of the organization holding a user’s data.

When was the GDPR put into effect?

The GDPR was passed through the European Parliament in 2016. By 2018, all organizations within the EU were forced to comply.
Nathan Rizzuti Profile image