Inferensys

Glossary

Right to Erasure

The Right to Erasure, codified in Article 17 of the GDPR, grants data subjects the power to compel a data controller to delete their personal data without undue delay when specific legal grounds apply.
Data scientist building training data pipeline on laptop, data preprocessing visible, technical workspace.
DATA SUBJECT RIGHTS

What is Right to Erasure?

The Right to Erasure, codified in Article 17 of the GDPR, empowers individuals to request the deletion of their personal data without undue delay under specific conditions.

The Right to Erasure, commonly known as the 'right to be forgotten,' is a legal mandate requiring data controllers to delete a data subject's personal information upon request when the data is no longer necessary for its original purpose, consent is withdrawn, or the processing is unlawful. This right is not absolute and includes specific exemptions, such as overriding public interest or legal obligations.

Technical fulfillment requires automated privacy request orchestration to locate and purge data across disparate systems, including backups and logs. Effective implementation relies on robust data lineage for PII to map all storage locations, ensuring complete deletion and providing a verifiable audit trail to demonstrate compliance to supervisory authorities.

GDPR ARTICLE 17 MECHANICS

Core Characteristics of the Right to Erasure

The right to erasure is not absolute; its applicability hinges on specific legal grounds, technical feasibility, and statutory exemptions. Understanding these core characteristics is essential for automating compliant deletion workflows.

01

The Six Lawful Grounds for Erasure

A data controller must erase personal data without undue delay where one of six specific grounds applies:

  • Purpose Fulfillment: The data is no longer necessary for the original purpose.
  • Consent Withdrawal: The data subject withdraws consent and no other legal basis exists.
  • Objection Uphold: The data subject objects to processing and there are no overriding legitimate grounds.
  • Unlawful Processing: The personal data has been processed unlawfully.
  • Legal Obligation: Erasure is required to comply with a Union or Member State legal obligation.
  • Child's Consent: The data was collected in relation to an information society service offered to a child.
02

The 'Undue Delay' Mandate

Article 17 requires erasure without undue delay. While the GDPR does not define a strict statutory deadline, regulatory guidance interprets this as one calendar month, consistent with the general DSAR response timeframe. Complex or numerous requests may warrant a two-month extension, but the controller must inform the data subject of the delay within the first month. Automated orchestration is critical to meeting this timeline across fragmented data silos.

1 Month
Standard Response Deadline
03

Statutory Exemptions to Deletion

The right to erasure is overridden when processing is necessary for:

  • Freedom of Expression: Exercising the right to freedom of expression and information.
  • Legal Compliance: Complying with a legal obligation requiring processing by Union or Member State law.
  • Public Interest: Performing a task carried out in the public interest or in the exercise of official authority.
  • Public Health: Reasons of public interest in the area of public health.
  • Archiving & Research: Archiving purposes in the public interest, scientific or historical research, or statistical purposes, where erasure would render impossible or seriously impair the achievement of those objectives.
  • Legal Defense: The establishment, exercise, or defense of legal claims.
04

Propagation to Third Parties

The controller who has made the personal data public has a specific obligation to take reasonable steps, including technical measures, to inform other controllers processing the data that the data subject has requested the erasure of any links to, or copy or replication of, that personal data. This requires maintaining a data lineage map to identify all downstream processors and sub-processors who received the data.

05

Technical Exceptions: Backup & Legacy Systems

The GDPR acknowledges that erasure from live systems is distinct from backup and archival systems. Controllers are not required to destroy backup media immediately if doing so would be disproportionately difficult. However, they must ensure the data is 'put beyond use'—meaning it is not actively processed for any other purpose and is isolated from operational access. A clear policy for permanent deletion upon backup rotation is mandatory.

06

Verification of Identity & Request Refusal

Before fulfilling an erasure request, the controller must verify the identity of the data subject, especially in digital environments. If the controller has reasonable doubts concerning the identity of the natural person making the request, they may request additional information to confirm identity. A controller may also refuse to act on a request if it is manifestly unfounded or excessive, but must demonstrate the excessive character and inform the data subject of the reasons for refusal and their right to lodge a complaint.

RIGHT TO ERASURE EXPLAINED

Frequently Asked Questions

Clear, technical answers to the most common questions about implementing the 'right to be forgotten' under GDPR Article 17, including its technical scope, exceptions, and impact on machine learning models.

The Right to Erasure, codified as Article 17 of the GDPR, is a data subject's right to obtain from the controller the deletion of their personal data without undue delay. It is not an absolute right; it applies when one of six specific grounds is met: the data is no longer necessary for its original purpose, consent is withdrawn, the data subject objects to processing, processing was unlawful, a legal obligation requires deletion, or the data was collected from a child's online service. Upon receiving a valid request, the controller must erase the data and take reasonable steps to inform any other controllers processing the data of the request. The technical implementation requires locating and deleting all instances of the data subject's personally identifiable information (PII) across primary databases, backups, logs, and derived datasets, often within a strict 30-day window.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.