The right to erasure — also known as the right to be forgotten — is one of the most frequently exercised rights against companies and public authorities since Regulation (EU) 2016/679 (GDPR) came into force. Its legal basis is found in Article 17 of the GDPR, which grants any natural person the right to request the deletion of their personal data when certain circumstances apply. However, not every request must be honoured: there are significant exceptions, particularly when the organisation has a legal obligation to retain the data. Knowing when data may — and when it must not — be erased is essential for GDPR compliance and for protecting the organisation against potential complaints before Spain's data protection authority, the Agencia Española de Protección de Datos (AEPD).
What Is the Right to Erasure under Article 17 of the GDPR
Article 17(1) of Regulation (EU) 2016/679 gives the data subject the right to obtain from the controller the erasure of personal data concerning them without undue delay, when at least one of the grounds enumerated in the Regulation applies.
The provision expressly distinguishes between two situations:
- Erasure of data in the context of direct relationships between the data subject and the controller (for example, a customer asking a company to delete their purchase history or contact details).
- The right to be forgotten with respect to data that the controller itself has made public. In this case, Article 17(2) of the GDPR requires the controller to take reasonable steps — including technical measures — to inform other controllers processing the data that the data subject has requested erasure of any links to, copies of, or replications of those personal data.
Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales) supplements the GDPR within the Spanish legal system. Its Article 15 refers to Article 17 GDPR for exercising the right to erasure, while Article 32 LOPDGDD governs data blocking, requiring the controller to block data upon rectification or erasure and to reserve it during the limitation period for potential liabilities. The LOPDGDD should not be confused with the now-repealed Organic Law 15/1999 (LOPD), which it replaced.
When Erasure Is Required: the Six Grounds under Article 17(1) GDPR
The controller is only obliged to erase personal data if at least one of the six grounds listed in Article 17(1) of the GDPR applies:
- The data are no longer necessary for the purposes for which they were collected or processed. If a customer relationship ended years ago and there is no other legal basis for retaining the data, the company must erase them once statutory retention periods have elapsed.
- The data subject withdraws consent on which the processing was based (art. 6(1)(a) or art. 9(2)(a) GDPR) and there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR (objection based on specific legitimate grounds) and there are no overriding legitimate grounds, or the data subject objects to processing for direct marketing purposes (art. 21(2) GDPR), in which case the objection admits no exceptions.
- The personal data have been processed unlawfully, i.e., without a valid legal basis from the outset.
- The data must be erased to comply with a legal obligation under Union or Member State law applicable to the controller.
- The data were obtained in connection with the offer of information society services to children (art. 8 GDPR) without the required parental consent.
If none of these grounds applies, the controller may refuse the request with stated reasons and inform the data subject of their right to lodge a complaint with the AEPD.
Exceptions: When the Company May — or Must — Refuse to Erase
Article 17(3) of the GDPR provides that the right to erasure does not apply when processing is necessary for any of the following purposes:
- Exercising the right to freedom of expression and information, balancing the public interest in the information against the data subject's right to privacy.
- Compliance with a legal obligation requiring processing under Union or Member State law, or the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Reasons of public interest in the area of public health as referred to in Article 9(2)(h) and (i) GDPR.
- Purposes of archiving in the public interest, scientific or historical research, or statistical purposes in accordance with Article 89(1) GDPR, in so far as the right to erasure is likely to render impossible or seriously impair the achievement of the processing objectives.
- The establishment, exercise, or defence of legal claims, whether judicial, administrative, or out-of-court.
The most common exception in a business context is the legal retention obligation. A company cannot delete a customer's invoices even upon request, because Spanish tax law (Ley General Tributaria — General Tax Act) requires records with tax relevance to be retained for four years; commercial law (Código de Comercio — Commercial Code, art. 30) extends that period to six years for books, correspondence, and accounting documentation. Similarly, payroll, social-security affiliation, and occupational health and safety data must be retained for the periods laid down in labour and social-security legislation.
Grounds for Erasure versus Most Common Exceptions
| Ground for erasure (art. 17(1) GDPR) | Possible exception that overrides it (art. 17(3) GDPR) | Practical example |
|---|---|---|
| Data no longer necessary for the original purpose | Legal retention obligation (tax, commercial, labour law) | Invoices must be retained for at least 4 years (Ley General Tributaria) even if the customer requests erasure |
| Withdrawal of consent | No exception applies if the processing was based solely on consent and is no longer necessary | The data subject withdraws consent to commercial communications: marketing data must be erased |
| Objection to processing (art. 21 GDPR) | Establishment, exercise, or defence of judicial or administrative claims | A former employee requests erasure of their data; the company may retain them while an active employment dispute is ongoing |
| Unlawful processing from the outset | Very limited; if processing was unlawful, erasure is the general rule | Data collected without a valid legal basis must be erased without delay |
| Data of minors (information society services) | Very restrictive; the minor or their legal representative may demand erasure | A digital platform that processed a minor's data without valid parental consent under art. 8 GDPR |
| Objection to direct marketing (art. 21(2)) | None: objection to direct marketing admits no exceptions under art. 17(3) | The data subject unsubscribes from the newsletter: data cannot be used for marketing even if other legitimate processing activities exist |
If your organisation needs to assess whether a specific erasure request may be refused on the basis of a legal exception, Summum Consultoría supports you in managing data subject rights, with case-by-case analysis and protocols tailored to each sector and company size. We have offices in Castilla y León (Valladolid, Burgos, Palencia and Aranda de Duero) and in the Canary Islands (Las Palmas).
Difference between the Right to Erasure and the Right to Be Forgotten
Although the expression "right to be forgotten" is commonly used as a synonym for the right to erasure, in a strict sense the right to be forgotten refers to the specific dimension of Article 17(2) GDPR: the right to have data that were made public by the controller stop circulating in digital environments, including search engine results.
This dimension was recognised before the GDPR was adopted by the Court of Justice of the European Union (CJEU) in its judgment of 13 May 2014 in Case Google Spain SL and Google Inc. v AEPD and Mario Costeja González (C-131/12). The Court held that search engines act as data controllers in respect of personal data appearing on the indexed web pages, and that individuals have the right to request de-indexing of results that are inadequate, inaccurate, irrelevant, or excessive relative to the purposes of the processing and the time elapsed, even if the original information was lawfully published.
The Right to Be Forgotten vis-à-vis Search Engines
When a data subject exercises the right to be forgotten against a search engine such as Google, they do so directly against the search engine as data controller, independently of the original website where the information is published. The search engine must assess whether de-indexing is appropriate by balancing the data subject's right to privacy against the public interest in the information.
How to Request De-indexing from Google
Google provides an official request form for the removal of results under European data protection law. The data subject must identify the exact URLs of the results they wish removed and explain why each result is inadequate, irrelevant, or excessive given the time elapsed and their current situation. Google evaluates each request individually and may reject it if it considers that the public interest in accessing that information outweighs the applicant's right to privacy. If the request is rejected, the data subject may lodge a complaint with the AEPD.
Criteria Applied by the AEPD in Right-to-Be-Forgotten Complaints
The AEPD has developed consistent interpretive criteria through its rights-enforcement decisions and its Guide on the Right to Be Forgotten in Search Engines (Guía sobre el derecho al olvido en buscadores). The relevant factors include:
- Time elapsed since the information was published: the greater the temporal distance, the more weight the right to privacy carries against the public interest.
- Nature of the data: data belonging to special categories (health, ideology, ethnic origin, criminal convictions) carry greater weight in favour of de-indexing.
- Profile of the data subject: individuals with a public profile — politicians, well-known business figures, public personalities — have a reduced privacy expectation with regard to their public conduct.
- Currency and relevance of the information: a currently newsworthy piece of general interest carries more weight than historical data with no present informational value.
- Accuracy of the information: outdated or partially incorrect data favours de-indexing.
- Potential harm to the data subject: information that could seriously affect reputation, employment, or personal safety carries greater weight in favour of erasure.
Time Limits for Responding to an Erasure Request
Article 12 of the GDPR sets the general time-limit framework for the exercise of rights, which applies to the right to erasure:
- The controller must respond within one month of receiving the request, informing the data subject of the measures taken or, where applicable, the reasons for refusing the request.
- This period may be extended by a further two months where the request is particularly complex or a large number of requests have been received simultaneously. The controller must notify the data subject of the extension and the reasons for it within the first month, without waiting for the initial period to expire.
- If the controller decides not to comply with the request — because none of the grounds in Article 17(1) applies or because an exception under Article 17(3) is invoked — it must inform the data subject within one month, explain the specific reasons, and remind them of their right to lodge a complaint with the AEPD and to seek judicial redress.
Free of charge is the rule: the controller may not charge the data subject for processing the request (art. 12(5) GDPR). The only exception is where requests are manifestly unfounded or excessive in view of their repetitive character: in that case, the controller may charge a reasonable fee taking into account the administrative costs, or refuse to act, but must demonstrate the manifestly unfounded or excessive nature of the request.
Obligation to Notify Third Parties of the Erasure: Article 19 GDPR
When the controller complies with an erasure request, Article 19 of the GDPR imposes an additional obligation to communicate the erasure to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. If the data subject requests it, the controller must inform them of those recipients.
This obligation is particularly relevant in common business scenarios: companies sharing data with entities within the same corporate group, CRM systems synchronised with external processors (marketing agencies, email platforms, cloud-based ERP), or data shared with credit reporting agencies. If erasure is carried out in the main database but the data persist in secondary databases or cloud services managed by processors, the erasure is incomplete and the controller remains in breach of the GDPR.
Article 28 of the GDPR requires data processing agreements to expressly regulate the processor's obligation to erase or return the data to the controller, at the controller's choice, upon termination of the service or upon the controller's request. Reviewing this clause in supplier contracts is an essential step before responding to an erasure request.
How to Handle Erasure Requests in Your Organisation
Correctly managing the right to erasure in an organisation requires a clear, documented internal protocol covering at least the following elements:
- An accessible channel for receiving requests. Article 12 of the GDPR prohibits imposing obstacles to the exercise of rights. The channel must be clearly identified in the privacy policy and easy to use (web form, dedicated email address, postal address).
- Reasonable verification of the requester's identity. Before erasing data, the controller must reasonably confirm that the person requesting erasure is indeed the data subject or their legal representative (art. 12(6) GDPR). Demanding disproportionate documents is not acceptable, but asking for information that confirms identity is.
- Assessment of whether the request should be complied with. Does any of the six grounds in Article 17(1) apply? Does any exception under Article 17(3) apply? This decision must be documented internally regardless of the outcome.
- Technical execution of erasure across all systems. Effective deletion from the main database, from processors' systems (art. 28 GDPR), and from archiving systems. Data must be prevented from being restored from backups in the next renewal cycles.
- Notification to third-party recipients in accordance with Article 19 GDPR, with documentation of the communications sent.
- Documented response to the data subject within the one-month period, stating the measures taken or the grounds for refusal.
The data protection team at Summum Consultoría offers support in implementing data subject rights management protocols, including the design of the exercise channel, GDPR-compliant response templates, and training for staff involved in handling requests. We have been helping companies in Castilla y León and the Canary Islands adapt their processes to data protection law since 2007.
Consequences of Non-Compliance
Failing to respond to an erasure request that should have been honoured, or failing to do so within the required period without justified reason, may result in:
- A complaint to the AEPD by the data subject, which may trigger an ex officio sanctioning procedure against the company.
- Administrative fines under Article 83 of the GDPR. Failure to comply with Article 17 may be classified as a serious or very serious infringement under the LOPDGDD. Article 83(5) GDPR provides for fines of up to EUR 20,000,000 or 4% of total worldwide annual turnover for the preceding financial year, whichever is higher. Article 83(4) provides for fines of up to EUR 10,000,000 or 2% for less serious infringements. The AEPD considers in each case the nature, gravity and duration of the infringement, the degree of responsibility, and the measures taken to mitigate the damage.
- Civil actions by the data subject seeking protection of their right and, where applicable, compensation for damages.
Frequently Asked Questions
Can a company refuse to delete my data if it uses them to send me advertising?
No. If the data subject exercises the right to object to processing for direct marketing purposes under Article 21(2) GDPR, the controller must immediately cease that processing — no personal reason needs to be given. If the only legal basis for retaining the data was that marketing purpose, erasure must also follow. An unjustified refusal may be the subject of a complaint to the AEPD, which may initiate ex officio sanctioning proceedings.
How long does a company have to delete my data after I make a request?
The GDPR requires erasure to take place without undue delay (art. 17(1)) and the response to the data subject to be delivered within a maximum of one month from receipt of the request, extendable to three months in complex cases. In practice, technical execution may require a reasonable period when third-party systems are involved, but the response to the data subject and the commencement of execution must always occur within the first month. Exceeding that period without any communication is itself a breach of Article 12 of the GDPR.
Does the right to erasure include having Google remove results that appear when my name is searched?
Article 17(2) GDPR requires the controller who made the data public to inform third parties processing them — including search engines — of the erasure request. However, the data subject may also apply directly to Google via its official de-indexing form under European law, without going through the original publisher first. If Google rejects the de-indexing request, the data subject may complain to the AEPD, which will rule by balancing the right to privacy against the public interest in the information, following the criteria described in its Guide on the Right to Be Forgotten in Search Engines.
Does the company also have to erase backup copies?
Yes, though with technical nuances. Erasure must be effective and must cover backup systems too, but it is acceptable for deletion from backups to occur in the next renewal cycles rather than immediately. What is required from the outset is that erased data not be restored from those backups, except for a separately justified purpose. The controller must document this procedure in the Record of Processing Activities and state the backup erasure timescales in its data retention policy.