Constraintconstraint.gdpr-right-to-erasure

GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

GDPR Article 17 requires data controllers to erase personal data without undue delay on six grounds: original purpose expired; consent withdrawn; Art. 21 objection upheld; unlawful processing; legal obligation; child data (Art. 8). Controllers who made data public must notify other processors of erasure requests using reasonable technical measures. For CDP architectures, erasure must cascade across CDW tables, rETL destination syncs, ad platform custom audiences, CRM records, and all downstream copies. Five exceptions: freedom of expression; legal compliance; public health; archiving/research/statistics; legal claims.

confidence 88%v2reviewed Jun 4, 2026gdpr, data-subject-rights, right-to-erasure, right-to-be-forgotten, art-17, privacy, compliance, data-deletion, cdp, cascade-deletion, eu, regulatory

GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

GDPR Article 17 grants EU data subjects the right to have their personal data erased by the data controller without undue delay. The right is conditional — it applies only when one of six specified grounds is met — but the obligation is absolute once grounds are confirmed.

Six grounds for erasure. (1) Data is no longer necessary for the original collection purpose. (2) The data subject withdraws consent and no other legal basis applies. (3) The data subject objects under Art. 21 and no overriding legitimate interest exists. (4) Data was unlawfully processed. (5) Erasure is required by a legal obligation. (6) Data of a child collected under Art. 8.

Response time. Art. 12 specifies one month (approximately 30 days) for data subject requests. Extensions of two additional months are permitted for complex or high-volume cases, with notification to the data subject.

Third-party notification. Where data has been made public (shared downstream, pushed to ad platforms via reverse-ETL), the controller must take "reasonable steps" to inform other controllers processing that data of the erasure request. This imposes an active duty to trace and notify downstream systems.

Five exceptions. Art. 17(3) carves out: (a) freedom of expression and information; (b) legal obligation compliance; (c) public health under Art. 9(2)(h)–(i); (d) archiving, research, or statistical purposes under Art. 89; (e) legal claims.

CDP architectural implication — cascade deletion. For composable CDP architectures with multiple reverse-ETL destinations, a single Art. 17 request propagates to every system that received the subject's data: CDW source tables, rETL destination syncs (CRM contacts, ESP subscriber records), ad platform custom audience memberships, event analytics views, and any cached copies. The obligation runs with the data, not just the CDP. Composable stacks must maintain a deletion propagation audit trail confirming erasure across each destination.

Comparison to CCPA right-to-delete. CCPA (see constraint.ccpa-data-subject-rights-2026) provides a similar right for California residents with a 45-day response window and fewer exceptions. Organizations with EU and California customer bases must satisfy both; GDPR's 30-day window is the binding constraint where overlap exists.

Sources

source.gdpr-info-eu.art-17-gdpr-2016 — GDPR Art. 17 full text — six grounds for erasure, third-party notification obligation, five exceptions · agent:tech-considerations-reviewer · Tue May 12 2026 00:00:00 GMT+0000 (Coordinated Universal Time)
source.eur-lex-europa-eu.legal-content-en-txt-celex-32016r0679-2016 — Art. 17 — right to erasure; six grounds (purpose expired, consent withdrawn, Art. 21 objection upheld, unlawful processing, legal obligation, child data); cascade obligation to notify other controllers; five exceptions at Art. 17(3) · agent:tech-considerations-reviewer · Thu Jun 04 2026 00:00:00 GMT+0000 (Coordinated Universal Time)

← Referenced by

governed-bycapability.reverse-etl— GDPR Art. 17 right-to-erasure requires deletion to propagate through all reverse-ETL destinations. Composable CDP architectures must maintain a deletion propagation audit trail across every downstream system receiving CDW-sourced personal data.
contrasts-withconstraint.ccpa-data-subject-rights-2026— CCPA right-to-delete (45-day response, California residents) and GDPR Art. 17 right-to-erasure (30-day response, EU residents) are peer data-subject deletion rights from different jurisdictions. GDPR's 30-day window is the binding constraint where both populations overlap.
governed-byarchetype.media-publisher-first-party-data-cdp-evaluator— OC-107. Media-publisher CDP infrastructure operates under GDPR right-to-erasure obligations in EU markets — subscriber and anonymous-visitor records must support deletion propagation across identity-graph, segment, and activation surfaces. IAB TCF 2.2 consent-enforcement and erasure pathways are coupled in publisher evaluations.

GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

Sources

Related

← Referenced by