GDPR Right to Be Forgotten (Article 17) Explained

The GDPR gives you the right to demand that a company or a search engine delete personal data about you. Article 17 of Regulation (EU) 2016/679 calls this the "right to erasure," and Recital 65 of the regulation itself uses the phrase "right to be forgotten." The right is not unlimited: it applies only in six specific situations, five exceptions can override it, and a landmark 2019 court ruling confirmed that search engine de-listing is confined to EU-facing versions of the engine, not the entire world wide web. This guide walks through each clause of Article 17, the two Court of Justice of the European Union cases that shaped how the right works in practice, and the exact steps to file a request.

For a broader overview of all eight GDPR rights, see GDPR data subject rights. For background on the regulation as a whole, see what is GDPR. This page is the deep-dive on erasure alone.

What Article 17 of the GDPR Actually Says

Article 17(1) of Regulation (EU) 2016/679 states: "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay" where one of six grounds applies. The "without undue delay" standard is calibrated by the one-month response deadline in Article 12(3), discussed below.

Recital 65 of the regulation provides the policy context. It explains that a data subject should have the right to have personal data erased and no longer processed where the data are no longer necessary for the purposes they were collected, where consent has been withdrawn, where there is no other legal ground, and that this is especially important in the online environment where information shared during childhood may persist long into adulthood. Recital 65 is the source of the phrase "right to be forgotten" in the regulation's own text.

Recital 66 adds the online cascade dimension: "To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data." This recital underpins Article 17(2) and is the structural foundation for search engine de-referencing orders.

These recitals are not binding law by themselves, but they are the authoritative interpretive guide to what the legislators intended Article 17 to achieve.

The Six Grounds for Erasure Under Article 17(1)

You can request erasure only if at least one of the following six grounds, set out in Article 17(1)(a) through (f), applies to your situation.

(a) Data no longer necessary for its original purpose. If the organization collected data about you to fulfil a specific purpose and that purpose has ended, it has no lawful basis to continue holding the data. A retailer that still holds your personal data years after a one-time transaction, with no ongoing relationship, is a classic example.

(b) Consent withdrawn and no other legal basis exists. If the only legal basis for processing your personal data was your consent, and you withdraw that consent, the controller must erase the data unless it can point to a different legal basis such as a contract, a legal obligation, or a legitimate interest. The withdrawal of consent does not affect the lawfulness of processing before withdrawal.

(c) Successful objection under Article 21 with no overriding legitimate grounds. Article 21(1) lets you object to processing based on legitimate interests or public-interest tasks; the controller can override your objection only by demonstrating compelling legitimate grounds. Where the controller has no such grounds, the objection succeeds and erasure follows. Article 21(2) goes further: objecting to processing for direct marketing purposes is unconditional. A controller that receives a direct-marketing objection has no balancing test to run and cannot refuse erasure on public-interest grounds.

(d) Unlawful processing. If the data was never lawfully processed in the first place, collected without a valid legal basis, retained beyond the lawful period, or processed in breach of the regulation, erasure is available regardless of whether the organization still has a "purpose" for the data.

(e) Erasure required by EU or Member State law. Some national or EU rules impose mandatory retention followed by mandatory deletion. Where a legal obligation specifically requires erasure after a defined period, that obligation triggers the Article 17(1)(e) ground directly.

(f) Data collected from you as a child for an information-society service. Article 17(1)(f) is the children's-data ground. Under Article 8(1) of the GDPR, the default minimum age of consent for information-society services (social media platforms, apps, online games) is 16; Member States may lower this floor to no less than 13. Any data collected about you when you were below the applicable national threshold, without valid parental or guardian consent, was collected unlawfully, meaning both Article 17(1)(d) and Article 17(1)(f) apply. Recital 65 explicitly calls this out: the right to be forgotten is especially important where a "data subject has been a child at the time of the collection." Critically, this ground applies even if you are now an adult. The relevant fact is that the data was collected during your childhood, not your current age.

At least one of these six grounds must be present. If none applies, the erasure request does not trigger Article 17, though you may still have rights under other provisions such as the right to restrict processing under Article 18.

The Five Exceptions: When Erasure Can Be Refused Under Article 17(3)

Even where one of the six grounds in Article 17(1) applies, a controller may lawfully decline to erase your data if it can demonstrate that continued processing is necessary for one of the five purposes listed in Article 17(3)(a) through (e).

(a) Freedom of expression and information. Journalism, commentary, opinion, and archiving of publicly important information fall within this exception. This is the most frequently invoked exception in the search-engine context. A news archive covering lawfully published information of genuine public interest can resist an erasure request on this ground. The exception requires a genuine balance: not every article about a private individual qualifies as protected expression.

(b) Compliance with a legal obligation, or performance of a public-interest task or exercise of official authority. Where EU or Member State law requires the controller to retain data, it cannot simply erase it on request. Employment law, tax law, social security law, and healthcare record-keeping requirements are common examples. This exception is also central to government agencies and public bodies processing data in the exercise of their official functions.

(c) Public health. Processing necessary for reasons of public interest in the area of public health, such as disease surveillance, epidemiology, or medical research where de-identification is not possible, may override an erasure request under Article 9(2)(h) and (i).

(d) Archiving in the public interest, scientific or historical research, or statistics. Erasure requests can be refused where the data is being processed for archiving purposes in the public interest, or for scientific or historical research, or statistical purposes, provided that erasure would seriously impair the achievement of those objectives. This exception protects long-term public-interest research datasets from being dismantled by individual erasure requests.

(e) Establishment, exercise, or defence of legal claims. If an organization needs to retain data to bring, defend, or pursue litigation or regulatory proceedings, it can invoke this exception. This is frequently used in employment disputes, insurance claims, and financial services compliance contexts.

It is the controller's burden to identify which exception applies and to explain that to you in writing when refusing a request. A blanket refusal without citing a specific ground from Article 17(3) is itself a GDPR infringement.

The Cascade to Other Controllers: Article 17(2)

Article 17(2) addresses the situation where the controller has already made your personal data public, for example by posting it on a website or distributing it to third parties. Where a controller is required under Article 17(1) to erase data it has made public, Article 17(2) requires that controller to "take reasonable steps, including technical measures, taking account of available technology and the cost of implementation" to inform other controllers processing the data that you have requested erasure of "any links to, or copy or replication of, those personal data."

This provision is the structural basis for search engine de-referencing. When a website holds lawfully published content about you, you can request de-referencing from the search engine independently of whether the source page is removed. The search engine, as a separate controller that has processed public data, falls within the Article 17(2) cascade mechanism.

Where the Right Was Born: Google Spain (C-131/12, 2014)

The right to be forgotten as applied to search engines predates the GDPR. It was created by the Court of Justice of the European Union in Case C-131/12, Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Grand Chamber, decided 13 May 2014. The case was decided under the then-applicable 1995 Data Protection Directive; the GDPR subsequently codified and strengthened the principle in Article 17.

The facts: a Spanish national, Mario Costeja Gonzalez, asked Google to remove search results that, when his name was entered, surfaced a 1998 newspaper notice about a debt-related property auction that had long since been resolved. The original newspaper article had been lawfully published. The question was whether Google, by indexing and returning those results, was itself subject to data protection obligations.

The Court held, at Operative Part 1 and paragraph 33, that "the activity of a search engine...must be classified as 'processing of personal data'" and that "the operator of the search engine must be regarded as the 'controller'" of that processing. This was the critical threshold ruling: search engines are not passive conduits but data controllers who determine the purposes and means of processing personal data.

On the substance of the right, the Court held at Operative Part 3 and paragraph 82 that a search engine operator "is obliged to remove from the list of results...links to web pages...also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even...when its publication in itself on those pages is lawful." The right to de-list from search results is therefore independent of whether the original source page is lawfully published or removed.

The balancing test established at Operative Part 4 and paragraph 81 provides that a data subject's fundamental rights to privacy and data protection, Articles 7 and 8 of the EU Charter, "override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information." The exception is where "for particular reasons, such as the role played by the data subject in public life," the interference with fundamental rights is justified by "the preponderant interest of the general public." Public figures and people who have voluntarily entered public life therefore face a higher threshold when seeking de-referencing.

How Far Does De-Referencing Reach: Google v CNIL (C-507/17, 2019)

After the GDPR took effect in May 2018, France's data protection authority, the Commission nationale de l'informatique et des libertes (CNIL), ordered Google to carry out de-referencing on ALL versions of its search engine worldwide, not just EU-facing ones. The CNIL's position was that partial de-listing was insufficient because EU users could easily switch to google.com or another non-EU domain and find the de-listed results.

Google challenged the worldwide scope. In Case C-507/17, Google LLC v. CNIL, Grand Chamber, decided 24 September 2019, the CJEU ruled that EU law does not require worldwide de-referencing. The primary holding was that "that operator is not required to carry out that de-referencing on all versions of its search engine, but on the versions of that search engine corresponding to all the Member States."

The Court grounded this EU-only scope in two reasons. First, the EU legislature did not intend to impose data protection requirements beyond EU territory. Second, as the judgment noted, "Numerous third States do not recognise the right to de-referencing or have a different approach to that right," and imposing EU standards worldwide would require EU law to override the laws of other jurisdictions.

However, the ruling does not leave EU users unprotected at the domain level. The Court held that within the EU, operators must implement "sufficiently effective" measures to prevent EU users from accessing de-listed links via non-EU versions of the search engine. In practice this means geo-blocking: if a French user navigates to google.com rather than google.fr, the de-listed result must still be blocked for that user based on their location.

The practical result: a successful de-referencing request removes links from google.fr, google.de, google.it, and all other EU-domain versions, and geo-blocking should prevent EU users from finding the removed results on google.com. The same result will still appear for a user in the United States accessing google.com.

How to Submit an Erasure Request to a Controller

Article 12(3) of the GDPR requires the controller to provide information on action taken in response to an erasure request "without undue delay and in any event within one month of receipt of the request." There is no prescribed form for submitting an erasure request. You can submit by email, through an online privacy portal, or by physical letter. Most large organizations now maintain a dedicated privacy rights portal, typically linked from the footer of their website under labels such as "Privacy Rights," "Data Subject Request," or "Your Privacy Choices."

Your request should include:

1. Your full name and any identifier the organization uses for your account (email address, customer number, username).
2. The specific data or categories of data you are requesting erasure of. Be as precise as you can.
3. The Article 17(1) ground you are relying on. For example: "I am requesting erasure under Article 17(1)(b) GDPR because I withdraw my consent and there is no other legal basis for processing."
4. Contact details for the response.

Under Article 12(5), responses to erasure requests are free of charge. Where requests are "manifestly unfounded or excessive, in particular because of their repetitive character," the controller may either charge a reasonable fee or refuse to act, but the burden of demonstrating that the request meets this threshold rests entirely on the controller. A single, clearly formulated erasure request cannot be dismissed as excessive.

If the controller cannot verify your identity using commercially reasonable methods, it may ask for additional information to authenticate you. It cannot use identity verification as a pretext to refuse the request altogether.

What Happens After You Submit: Timelines and Refusals

Article 12(3) gives the controller one calendar month from receipt to respond. For complex cases or where many requests have been received simultaneously, Article 12(3) allows an extension of "two further months where necessary," but the controller must notify you of the extension, and the reason for it, within the first month. You should therefore receive at minimum an acknowledgment within one month in every case.

If the controller acts on your request, it must confirm that erasure has been carried out and identify which data was deleted.

If the controller decides not to act, Article 12(4) requires it to inform you "without delay and at the latest within one month of receipt of the request" of the reasons for not taking action and of two escalation paths: the right to lodge a complaint with a supervisory authority (your national data protection authority, or DPA), and the right to seek a judicial remedy.

Infringement of Article 17, including failure to respond within the required time or an unjustified refusal, falls under Article 83(5)(b) of the GDPR as a violation of data subjects' rights under Articles 12 to 22. The maximum administrative fine is 20 million euros, or in the case of an undertaking, 4 percent of total worldwide annual turnover of the preceding financial year, whichever is higher. Your national DPA is responsible for investigating complaints and can impose those fines.

How to Submit a Search Engine De-Referencing Request

For de-referencing from search engine results under Articles 17(1) and 17(2), each major operator provides a dedicated submission mechanism. You do not submit a de-referencing request to the website hosting the content; you submit it directly to the search engine, which is a separate controller.

For a de-referencing request you will need to identify:

1. The specific URLs you want removed from search results.
2. The search terms that cause those URLs to surface in connection with your name.
3. The Article 17(1) ground you are relying on.
4. Why the search results are irrelevant, outdated, excessive, or otherwise not justified relative to your privacy interest.

Search engine operators review de-referencing requests individually and may decline where they determine that a public-interest exception under Article 17(3)(a) applies, particularly for public figures, recent or ongoing news events, or professional misconduct that is genuinely in the public interest.

If a search engine refuses your request, you can escalate to your national DPA. For example, French residents can complain to the CNIL, German residents to the Bundesdatenschutzbeauftragter (BfDI) or relevant state-level DPA, and so on. Your national DPA can order the search engine to comply if it finds the refusal unjustified.

Children's Data: The Strongest Erasure Ground

Article 17(1)(f) gives you an erasure right over personal data collected about you as a child for information-society services, and this right is among the most difficult for a controller to resist. Under Article 8(1), the minimum age of consent for information-society services is 16. Member States may lower this threshold, but to no less than 13. Where a Member State has lowered the threshold, the age depends on which country's law governed the service at the time you created an account or the data was collected.

Any data collected about you when you were below the applicable national threshold, without valid parental or guardian consent, was unlawfully processed under Article 8. That unlawful collection triggers Article 17(1)(d) as well as Article 17(1)(f): you have two independent grounds. Recital 65 singles this out explicitly, stating that a data subject should have the right to be forgotten where the data subject "has been a child at the time of the collection."

This means: if you created a social media account at age 13 in a Member State where the consent age was 16, and you now want the platform to delete all data associated with that account, you can invoke Article 17(1)(f) and (d) together. The platform cannot rely on its current relationship with you as an adult to defeat an erasure request about data that was unlawfully collected during childhood.

The only practical limitation is the exceptions in Article 17(3). Where the platform needs to retain some data to comply with a legal obligation, such as financial transaction records under tax law, it can decline erasure of that specific subset. But recreational behavioral data, advertising profiles, and content you posted as a minor are unlikely to fall within any Article 17(3) exception.

No US Federal Equivalent to the Right to Be Forgotten

There is no direct equivalent to the GDPR right to be forgotten in federal US law. The United States has no comprehensive federal data privacy statute that grants consumers a universal right to demand erasure of their personal data from private organizations.

The closest US analogue at the state level is the right to deletion under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), codified at California Civil Code section 1798.105. That right is meaningful but narrower than Article 17 in several important ways: it applies only to California residents, only to covered businesses meeting specific revenue or data-volume thresholds, and it contains its own extensive list of exceptions that track many of the same categories as Article 17(3).

At the federal level, the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. section 6501, gives parents the right to request deletion of personal data collected online from children under 13 by COPPA-covered operators. COPPA's scope is narrower than Article 17(1)(f): the age threshold is fixed at 13 with no Member State discretion, it covers only operators directed to children or with actual knowledge they are collecting children's data, and it grants the right to parents rather than the individuals whose data was collected.

At the search engine level, there is no US legal mechanism equivalent to the Google Spain de-referencing right. US courts have generally declined to recognize a right to compel search engine operators to de-list lawful content, relying on the First Amendment and Section 230 of the Communications Decency Act. A US resident cannot replicate an Article 17 erasure request under current federal law.

For EU residents and individuals located in EU Member States, the GDPR provides the strongest existing legal framework for demanding erasure of personal data from private companies and search engines. For an overview of how the GDPR's broader data subject rights framework fits together, see the GDPR data subject rights page and the EU data privacy laws hub.

Related guides

• GDPR International Data Transfers: Chapter V Rules (2026)
• Does GDPR Apply to US Companies? A Compliance Guide
• EU AI Act and Data Privacy: GDPR Intersection Explained
• EU Data Privacy Laws: GDPR, AI Act & the 2025-2026 Digital Reforms
• What Is GDPR? Complete Guide to EU Data Protection (2026)

Sources