What is GDPR Article 17 (Right to Erasure)?
GDPR Article 17 establishes the right to erasure, also known as the right to be forgotten, allowing data subjects to request the deletion of their personal data under specific circumstances.
Article 17 of the GDPR codifies the right to erasure, commonly known as the "right to be forgotten." This right allows data subjects to request that a data controller erase their personal data without undue delay. The controller is obligated to comply when one of several grounds applies: the data is no longer necessary for its original purpose, the data subject withdraws consent and there is no other legal ground for processing, the data subject objects to processing and there are no overriding legitimate grounds, the data has been unlawfully processed, erasure is required for compliance with a legal obligation, or the data was collected in relation to the offer of information society services to a child.
However, the right to erasure is not absolute. Article 17(3) provides exceptions where the controller may refuse erasure, including where processing is necessary for exercising the right of freedom of expression and information, compliance with a legal obligation, reasons of public interest in the area of public health, archiving purposes in the public interest or scientific research, or the establishment, exercise, or defense of legal claims. Controllers must also take reasonable steps to inform other controllers processing the same data of the erasure request.
Implementing the right to erasure effectively requires organizations to know where personal data is stored across all systems, which is a significant operational challenge. IQWorks addresses this through DiscoverIQ for locating personal data across the enterprise, SearchIQ for quickly finding all instances of a data subject's information, and automated workflows to execute erasure across connected systems.
Relevant Regulations
How IQWorks Helps
Related Terms
Right to Erasure (Right to Be Forgotten)
The right to erasure, also known as the right to be forgotten, allows individuals to request that organizations delete their personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
Data Subject Rights (DSR)
Data Subject Rights are the legal rights granted to individuals under data protection laws, enabling them to control how their personal data is collected, used, stored, and shared by organizations.
Data Subject Access Request (DSAR)
A Data Subject Access Request is a formal request made by an individual to an organization to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data along with details about how it is used.
GDPR (General Data Protection Regulation)
The General Data Protection Regulation is the European Union's comprehensive data protection law that sets strict rules for how organizations collect, store, and process personal data of EU residents, with fines up to 4% of annual global turnover.
Data Discovery
Data discovery is the automated process of identifying and cataloging personal data across an organization technology landscape, including databases, file systems, cloud storage, and SaaS applications.