ComposableStack.AI CDP
Back to agent
Sourcesource.gdpr-info-eu.art-17-gdpr-2016

GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

Art. 17 GDPR requires data controllers to erase personal data without undue delay when any of six grounds apply: data no longer needed for original purpose; consent withdrawn with no alternative legal basis; data subject objects under Art. 21 and no overriding legitimate interest exists; processing was unlawful; a legal obligation requires deletion; or data was collected from a child under Art. 8. Controllers who made data public must take reasonable technical steps to notify other processors of the erasure request. Five exceptions allow continued processing: freedom of expression, legal compliance obligations, public health, archiving/research/statistics, and establishing or defending legal claims. CDP architectures must implement automated consent-withdrawal triggers, cross-vendor deletion APIs, audit trails documenting erasure attempts, and exception-mapping logic before deletion processing.

gdpr-info.eu — view original source
confidence 90%v1indexed May 19, 2026gdpr, data-subject-rights, right-to-erasure, right-to-be-forgotten, art-17, privacy, compliance, data-deletion, cdp, regulatory, eu, cascade-deletion

GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

Regulation: EU 2016/679 (GDPR), Art. 17 — in force since May 25, 2018.

Right and Obligation

Data subjects may request erasure of personal data concerning them. Controllers must comply without undue delay (interpreted as approximately one month in supervisory authority guidance) when applicable grounds exist.

Grounds for Erasure

Controllers must erase data when:

  1. Data is no longer necessary for the purpose for which it was collected or processed.
  2. Consent is withdrawn and there is no alternative legal basis for processing.
  3. Data subject objects under Art. 21(1) and there are no overriding legitimate interests, or objects under Art. 21(2) (direct marketing objection, which is absolute).
  4. Processing was unlawful.
  5. A legal obligation (EU or Member State law) requires erasure.
  6. Data was collected in relation to an offer of information society services to a child under Art. 8(1).

Third-Party Notification Obligation

Where a controller has made personal data public (e.g., shared with advertising networks, activation destinations), the controller must take reasonable steps including technical measures to inform other controllers processing that data that the data subject has requested erasure of any links, copies, or replications. For CDP architectures, this means propagating deletion directives to all downstream systems including CDWs, reverse ETL destinations, ad platform custom audiences, email service providers, and any other vendor receiving the data.

Exceptions

The right to erasure does not apply to the extent processing is necessary for:

  1. Exercising the right to freedom of expression and information.
  2. Compliance with a legal obligation (EU or Member State law).
  3. Reasons of public interest in the area of public health (Art. 9(2)(h)/(i) and Art. 9(3)).
  4. Archiving in the public interest, scientific or historical research, or statistical purposes where erasure would seriously impair the objective.
  5. Establishment, exercise, or defense of legal claims.

CDP Architecture Implications

Composable CDP architectures face particular challenges with Art. 17 compliance:

Related KG nodes: Complements source.gdpr-info-eu.art-7-gdpr-2016 (consent grounds for processing). Grounds constraint.gdpr-right-to-erasure (TC-53 proposal).