What Is the Right to Be Forgotten in Gdpr?

The right to be forgotten, or the right to erasure under Article 17 of the General Data Protection Regulation (GDPR), grants data subjects—the individuals whose personal data are processed—the ability to request the deletion of their personal data under specific conditions. This right is not absolute but is conditional upon several criteria outlined in GDPR.

Data subjects can invoke this right when:

• The personal data is no longer necessary for the original purpose of collection or processing.
• Consent is withdrawn by the data subject.
• The data subject objects to the processing and there are no overriding legitimate grounds for processing.
• The personal data have been unlawfully processed.
• Erasure is necessary to comply with a legal obligation under EU or Member State law.
• The data concerns a child’s personal data as per Article 8 of GDPR.

Exceptions to the right to erasure include situations where:

• The processing is necessary for exercising the right of freedom of expression and information.
• Processing is required for public interest tasks or public health reasons.
• Retention is necessary to establish, exercise, or defend legal claims.

The balance between the right to erasure and other fundamental rights such as freedom of expression and public interest is critical. This balance ensures that the right to be forgotten does not override other essential societal interests (Voigt & Von dem Bussche, 2017).

The effectiveness of the right depends on the organization's adherence to GDPR mandates and their ability to respond adequately to erasure requests. Non-compliance can lead to penalties, emphasizing the operational importance of this right within data protection frameworks (Kuner et al., 2019).

In summary, Article 17 provides a framework where individuals can control their digital footprint by requesting deletion of personal data, but this is subject to significant limitations ensuring that other rights and legal obligations are respected.