Right to Erasure and Right to Be Forgotten in Spain

·

The right to erasure — also known as the right to be forgotten — is one of the most frequently exercised rights against companies and public authorities since Regulation (EU) 2016/679 (GDPR) came into force. Its legal basis is found in Article 17 of the GDPR, which grants any natural person the right to request the deletion of their personal data when certain circumstances apply. However, not every request must be honoured: there are significant exceptions, particularly when the organisation has a legal obligation to retain the data. Knowing when data may — and when it must not — be erased is essential for GDPR compliance and for protecting the organisation against potential complaints before Spain's data protection authority, the Agencia Española de Protección de Datos (AEPD).

What Is the Right to Erasure under Article 17 of the GDPR

Article 17(1) of Regulation (EU) 2016/679 gives the data subject the right to obtain from the controller the erasure of personal data concerning them without undue delay, when at least one of the grounds enumerated in the Regulation applies.

The provision expressly distinguishes between two situations:

Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD — Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales) supplements the GDPR within the Spanish legal system. Its Article 15 refers to Article 17 GDPR for exercising the right to erasure, while Article 32 LOPDGDD governs data blocking, requiring the controller to block data upon rectification or erasure and to reserve it during the limitation period for potential liabilities. The LOPDGDD should not be confused with the now-repealed Organic Law 15/1999 (LOPD), which it replaced.

When Erasure Is Required: the Six Grounds under Article 17(1) GDPR

The controller is only obliged to erase personal data if at least one of the six grounds listed in Article 17(1) of the GDPR applies:

  1. The data are no longer necessary for the purposes for which they were collected or processed. If a customer relationship ended years ago and there is no other legal basis for retaining the data, the company must erase them once statutory retention periods have elapsed.
  2. The data subject withdraws consent on which the processing was based (art. 6(1)(a) or art. 9(2)(a) GDPR) and there is no other legal ground for the processing.
  3. The data subject objects to the processing pursuant to Article 21(1) GDPR (objection based on specific legitimate grounds) and there are no overriding legitimate grounds, or the data subject objects to processing for direct marketing purposes (art. 21(2) GDPR), in which case the objection admits no exceptions.
  4. The personal data have been processed unlawfully, i.e., without a valid legal basis from the outset.
  5. The data must be erased to comply with a legal obligation under Union or Member State law applicable to the controller.
  6. The data were obtained in connection with the offer of information society services to children (art. 8 GDPR) without the required parental consent.

If none of these grounds applies, the controller may refuse the request with stated reasons and inform the data subject of their right to lodge a complaint with the AEPD.

Exceptions: When the Company May — or Must — Refuse to Erase

Article 17(3) of the GDPR provides that the right to erasure does not apply when processing is necessary for any of the following purposes:

The most common exception in a business context is the legal retention obligation. A company cannot delete a customer's invoices even upon request, because Spanish tax law (Ley General Tributaria — General Tax Act) requires records with tax relevance to be retained for four years; commercial law (Código de Comercio — Commercial Code, art. 30) extends that period to six years for books, correspondence, and accounting documentation. Similarly, payroll, social-security affiliation, and occupational health and safety data must be retained for the periods laid down in labour and social-security legislation.

Grounds for Erasure versus Most Common Exceptions

Ground for erasure (art. 17(1) GDPR) Possible exception that overrides it (art. 17(3) GDPR) Practical example
Data no longer necessary for the original purpose Legal retention obligation (tax, commercial, labour law) Invoices must be retained for at least 4 years (Ley General Tributaria) even if the customer requests erasure
Withdrawal of consent No exception applies if the processing was based solely on consent and is no longer necessary The data subject withdraws consent to commercial communications: marketing data must be erased
Objection to processing (art. 21 GDPR) Establishment, exercise, or defence of judicial or administrative claims A former employee requests erasure of their data; the company may retain them while an active employment dispute is ongoing
Unlawful processing from the outset Very limited; if processing was unlawful, erasure is the general rule Data collected without a valid legal basis must be erased without delay
Data of minors (information society services) Very restrictive; the minor or their legal representative may demand erasure A digital platform that processed a minor's data without valid parental consent under art. 8 GDPR
Objection to direct marketing (art. 21(2)) None: objection to direct marketing admits no exceptions under art. 17(3) The data subject unsubscribes from the newsletter: data cannot be used for marketing even if other legitimate processing activities exist

If your organisation needs to assess whether a specific erasure request may be refused on the basis of a legal exception, Summum Consultoría supports you in managing data subject rights, with case-by-case analysis and protocols tailored to each sector and company size. We have offices in Castilla y León (Valladolid, Burgos, Palencia and Aranda de Duero) and in the Canary Islands (Las Palmas).

Difference between the Right to Erasure and the Right to Be Forgotten

Although the expression "right to be forgotten" is commonly used as a synonym for the right to erasure, in a strict sense the right to be forgotten refers to the specific dimension of Article 17(2) GDPR: the right to have data that were made public by the controller stop circulating in digital environments, including search engine results.

This dimension was recognised before the GDPR was adopted by the Court of Justice of the European Union (CJEU) in its judgment of 13 May 2014 in Case Google Spain SL and Google Inc. v AEPD and Mario Costeja González (C-131/12). The Court held that search engines act as data controllers in respect of personal data appearing on the indexed web pages, and that individuals have the right to request de-indexing of results that are inadequate, inaccurate, irrelevant, or excessive relative to the purposes of the processing and the time elapsed, even if the original information was lawfully published.

The Right to Be Forgotten vis-à-vis Search Engines

When a data subject exercises the right to be forgotten against a search engine such as Google, they do so directly against the search engine as data controller, independently of the original website where the information is published. The search engine must assess whether de-indexing is appropriate by balancing the data subject's right to privacy against the public interest in the information.

How to Request De-indexing from Google

Google provides an official request form for the removal of results under European data protection law. The data subject must identify the exact URLs of the results they wish removed and explain why each result is inadequate, irrelevant, or excessive given the time elapsed and their current situation. Google evaluates each request individually and may reject it if it considers that the public interest in accessing that information outweighs the applicant's right to privacy. If the request is rejected, the data subject may lodge a complaint with the AEPD.

Criteria Applied by the AEPD in Right-to-Be-Forgotten Complaints

The AEPD has developed consistent interpretive criteria through its rights-enforcement decisions and its Guide on the Right to Be Forgotten in Search Engines (Guía sobre el derecho al olvido en buscadores). The relevant factors include:

Time Limits for Responding to an Erasure Request

Article 12 of the GDPR sets the general time-limit framework for the exercise of rights, which applies to the right to erasure:

Free of charge is the rule: the controller may not charge the data subject for processing the request (art. 12(5) GDPR). The only exception is where requests are manifestly unfounded or excessive in view of their repetitive character: in that case, the controller may charge a reasonable fee taking into account the administrative costs, or refuse to act, but must demonstrate the manifestly unfounded or excessive nature of the request.

Obligation to Notify Third Parties of the Erasure: Article 19 GDPR

When the controller complies with an erasure request, Article 19 of the GDPR imposes an additional obligation to communicate the erasure to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. If the data subject requests it, the controller must inform them of those recipients.

This obligation is particularly relevant in common business scenarios: companies sharing data with entities within the same corporate group, CRM systems synchronised with external processors (marketing agencies, email platforms, cloud-based ERP), or data shared with credit reporting agencies. If erasure is carried out in the main database but the data persist in secondary databases or cloud services managed by processors, the erasure is incomplete and the controller remains in breach of the GDPR.

Article 28 of the GDPR requires data processing agreements to expressly regulate the processor's obligation to erase or return the data to the controller, at the controller's choice, upon termination of the service or upon the controller's request. Reviewing this clause in supplier contracts is an essential step before responding to an erasure request.

How to Handle Erasure Requests in Your Organisation

Correctly managing the right to erasure in an organisation requires a clear, documented internal protocol covering at least the following elements:

  1. An accessible channel for receiving requests. Article 12 of the GDPR prohibits imposing obstacles to the exercise of rights. The channel must be clearly identified in the privacy policy and easy to use (web form, dedicated email address, postal address).
  2. Reasonable verification of the requester's identity. Before erasing data, the controller must reasonably confirm that the person requesting erasure is indeed the data subject or their legal representative (art. 12(6) GDPR). Demanding disproportionate documents is not acceptable, but asking for information that confirms identity is.
  3. Assessment of whether the request should be complied with. Does any of the six grounds in Article 17(1) apply? Does any exception under Article 17(3) apply? This decision must be documented internally regardless of the outcome.
  4. Technical execution of erasure across all systems. Effective deletion from the main database, from processors' systems (art. 28 GDPR), and from archiving systems. Data must be prevented from being restored from backups in the next renewal cycles.
  5. Notification to third-party recipients in accordance with Article 19 GDPR, with documentation of the communications sent.
  6. Documented response to the data subject within the one-month period, stating the measures taken or the grounds for refusal.

The data protection team at Summum Consultoría offers support in implementing data subject rights management protocols, including the design of the exercise channel, GDPR-compliant response templates, and training for staff involved in handling requests. We have been helping companies in Castilla y León and the Canary Islands adapt their processes to data protection law since 2007.

Consequences of Non-Compliance

Failing to respond to an erasure request that should have been honoured, or failing to do so within the required period without justified reason, may result in:

Frequently Asked Questions

Can a company refuse to delete my data if it uses them to send me advertising?

No. If the data subject exercises the right to object to processing for direct marketing purposes under Article 21(2) GDPR, the controller must immediately cease that processing — no personal reason needs to be given. If the only legal basis for retaining the data was that marketing purpose, erasure must also follow. An unjustified refusal may be the subject of a complaint to the AEPD, which may initiate ex officio sanctioning proceedings.

How long does a company have to delete my data after I make a request?

The GDPR requires erasure to take place without undue delay (art. 17(1)) and the response to the data subject to be delivered within a maximum of one month from receipt of the request, extendable to three months in complex cases. In practice, technical execution may require a reasonable period when third-party systems are involved, but the response to the data subject and the commencement of execution must always occur within the first month. Exceeding that period without any communication is itself a breach of Article 12 of the GDPR.

Does the right to erasure include having Google remove results that appear when my name is searched?

Article 17(2) GDPR requires the controller who made the data public to inform third parties processing them — including search engines — of the erasure request. However, the data subject may also apply directly to Google via its official de-indexing form under European law, without going through the original publisher first. If Google rejects the de-indexing request, the data subject may complain to the AEPD, which will rule by balancing the right to privacy against the public interest in the information, following the criteria described in its Guide on the Right to Be Forgotten in Search Engines.

Does the company also have to erase backup copies?

Yes, though with technical nuances. Erasure must be effective and must cover backup systems too, but it is acceptable for deletion from backups to occur in the next renewal cycles rather than immediately. What is required from the outset is that erased data not be restored from those backups, except for a separately justified purpose. The controller must document this procedure in the Record of Processing Activities and state the backup erasure timescales in its data retention policy.