GDPR Article 17 — Right to Erasure (Right to Be Forgotten)

source.gdpr-info-eu.art-17-gdpr-2016 ↗

Art. 17 GDPR requires data controllers to erase personal data without undue delay when any of six grounds apply: data no longer needed for original purpose; consent withdrawn with no alternative legal basis; data subject objects under Art. 21 and no overriding legitimate interest exists; processing was unlawful; a legal obligation requires deletion; or data was collected from a child under Art. 8. Controllers who made data public must take reasonable technical steps to notify other processors of the erasure request. Five exceptions allow continued processing: freedom of expression, legal compliance obligations, public health, archiving/research/statistics, and establishing or defending legal claims. CDP architectures must implement automated consent-withdrawal triggers, cross-vendor deletion APIs, audit trails documenting erasure attempts, and exception-mapping logic before deletion processing.