Right to be Forgotten

A common name for the right to erasure under GDPR Article 17, enabling individuals to have their personal data deleted under specific circumstances. This right applies when: data is no longer necessary for its original purpose, consent is withdrawn (where consent was the legal basis), the individual objects to processing and no overriding legitimate grounds exist, data was unlawfully processed, deletion is required by legal obligation, or data was collected from a child for online services. However, deletion isn't absolute—exceptions include freedom of expression, legal obligations, public health, archiving in public interest, or establishment of legal claims. When erasure is required, controllers must delete data and take reasonable steps to inform other controllers processing the data. The 'right to be forgotten' garnered attention through landmark cases like Google Spain, where search engines were required to delist certain search results. Organizations should implement secure deletion procedures, document erasure requests, and establish processes for evaluating exceptions.