GDPR Article 17 (Full Text) – Right to Erasure / Right to be Forgotten
The full text of GDPR Article 17: Right to erasure (‘right to be forgotten’) of the EU General Data Protection Regulation (adopted in May 2016 with an enforcement data of May 25, 2018) is below. This is the English version printed on April 6, 2016 before final adoption.
Article 17
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.
GDPR Article 16 (Previous) | GDPR Articles Index | GDPR Article 18 (Next)
Need help with the data subject access rights? Ask Clarip about how our data subject access request portal called the Privacy Center for Humans can make GDPR compliance with Articles 15 through 21 easier.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Still working on GDPR compliance? We understand! Our GDPR software tools offer a range of options from data mapping software, DPIA automation, and cookie management for ePrivacy.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.