Right to Erasure

The right to erasure (the right to be forgotten) gives data subjects the right to have their personal data deleted under certain conditions. GDPR Article 17 defines when the right applies and what exceptions exist.

Back to Dictionary

What is the right to erasure?

The right to erasure is set out in GDPR Article 17 and is also called "the right to be forgotten". It gives the data subject the ability to require that the data controller deletes their personal data.

The right is closely linked to the principle of storage limitation. You must not retain data longer than is necessary for the purpose. The right to erasure gives the data subject an active mechanism to enforce this principle.

If you have made data public and the data subject requests erasure, you must take reasonable steps to inform other data controllers about the request (Article 17(2)).

When does the right apply?

The data subject may request erasure when:

The data is no longer necessary for the purpose for which it was collected
Consent is withdrawn and there is no other legal basis
The data subject objects to processing based on legitimate interest and there are no overriding grounds for continued processing
The data has been processed unlawfully
Erasure is required by law
The data was collected from a child in connection with information society services

You must respond within one month. The deadline may be extended by two months for complex requests, but you must inform the data subject within the first month.

Exceptions to the right

The right to erasure is not absolute. You may refuse a request if the processing is necessary for:

Freedom of expression and information: E.g. journalistic, artistic or literary purposes.
Legal obligation: E.g. the Danish Bookkeeping Act's 5-year retention requirement or anti-money laundering requirements.
Public health: Processing in the public interest in the area of public health.
Archiving, research and statistical purposes: Where erasure would render the processing impossible or seriously impair it.
Legal claims: Establishment, exercise or defence of legal claims.

If you refuse a request, you must provide written reasons and inform the data subject of the right to complain to the Data Protection Agency.

Erasure in practice

Effective handling of erasure requests requires preparation:

Map data flows: Know where personal data is stored across systems, including at data processors and sub-processors.
Deletion routines: Build automatic deletion routines that remove data when the retention period expires. This reduces the number of erasure requests.
Backups: Plan how you handle data in backups. Full deletion from backups can be technically challenging, but you must have a plan.
Data processing agreements: Ensure that your agreements oblige data processors to assist with erasure.
Documentation: Record all erasure requests and your responses in your record of processing activities.

Consider anonymisation as an alternative to erasure when you need to preserve the analytical value of the data. Anonymised data is not personal data and falls outside the GDPR.

Frequently Asked Questions about Right to Erasure

What is the right to erasure?

The right to erasure (also called the right to be forgotten) gives the data subject the right to have their personal data deleted when the data is no longer necessary, consent is withdrawn, the data subject objects, the data has been processed unlawfully, or erasure is required by law.

Can you always require your data to be deleted?

No. The right to erasure is not absolute. There are exceptions, for example when data is necessary to comply with a legal obligation (such as the Bookkeeping Act's 5-year retention requirement), to exercise freedom of expression, for public health reasons, or for archiving, research and statistical purposes.

How quickly must data be deleted?

You must delete data without undue delay and no later than one month after the request. The deadline may be extended by two months for complex requests, but you must inform the data subject of the delay within the first month.

Must you also delete data held by data processors?

Yes. Erasure must cover all copies of the data, including those held by data processors and in backups. Your data processing agreement should contain provisions on how the data processor handles erasure requests and within what timeframe.

What is the difference between erasure and anonymisation?

Erasure means permanently removing the data. Anonymisation means treating the data so that individuals can no longer be identified, whilst the analytical value is preserved. Both achieve the goal of no longer processing personal data, but anonymisation allows you to retain the data set.