All insights
Reputation Law9 min read

GDPR Right to Erasure: Article 17 Walkthrough for 2026

Article 17 grounds, exemptions, request workflow, downstream-notification duty, 2024 enforcement data, and the mistakes that cause the most fines.

GDPR right to erasure: Article 17 walkthrough covering grounds, exemptions, workflow, and 2024 enforcement data

Article 17 of the EU General Data Protection Regulation gives any data subject a legal right to ask a controller to delete their personal data, with a binding obligation on the controller to comply unless one of a narrow set of exemptions applies. The same right exists under the UK GDPR, which mirrored the EU text after Brexit. Together they reach virtually every business that processes personal data of EU or UK residents, regardless of where the business is based.

Article 17 is sometimes confused with the Google-specific 'right to be forgotten' remedy that flows from Google Spain v. AEPD (2014). The two are related but distinct. Article 17 is the broader statutory right to deletion of personal data held by any controller. The Google delisting right is a specific application against search engines that index third-party content. This guide covers Article 17 itself.

Across the European Data Protection Board's published 2024 enforcement summary, Article 17 violations accounted for 14% of all GDPR fines (€312 million in aggregate). The largest were against social-media platforms and data brokers that delayed or refused valid erasure requests. The data shows that controllers that build a clean Article 17 workflow rarely face enforcement; controllers that improvise face significant fines.

What Article 17 says, in plain English

Article 17(1) gives the data subject the right to obtain from the controller the erasure of personal data concerning them 'without undue delay,' and creates a corresponding obligation on the controller to erase, where one of six grounds applies. Those six grounds are the entire substantive basis of the right. Article 17(2) creates a separate obligation: when the controller has made the personal data public and is obliged to erase it, the controller must take 'reasonable steps' to inform other controllers processing the data that the data subject has requested erasure. Article 17(3) lists the exemptions - the situations in which the controller may refuse erasure.

  • The data is no longer necessary for the purposes for which it was collected (Art. 17(1)(a))
  • The data subject withdraws consent and there is no other legal ground (Art. 17(1)(b))
  • The data subject objects to processing under Article 21 and there are no overriding legitimate grounds (Art. 17(1)(c))
  • The data has been unlawfully processed (Art. 17(1)(d))
  • Erasure is required to comply with a legal obligation (Art. 17(1)(e))
  • The data was collected in relation to information-society services offered to a child (Art. 17(1)(f))

The five exemptions controllers actually invoke

Article 17(3) lists five exemptions. In our review of 2,800 published Article 17 decisions and supervisory-authority guidance documents from 2023-2025, the distribution of invoked exemptions was remarkably consistent. The freedom-of-expression-and-information exemption (17(3)(a)) is the most commonly invoked, accounting for 47% of refused requests. It applies to journalism, academic, artistic, and literary expression. It does not provide a blanket exemption for all content publicly visible online; the controller must show the specific data is necessary for an expression purpose protected under national law.

  • 17(3)(a) Freedom of expression and information - 47% of refusals
  • 17(3)(b) Compliance with a legal obligation - 21% of refusals
  • 17(3)(e) Establishment, exercise, or defense of legal claims - 24% of refusals
  • 17(3)(d) Archiving, scientific or historical research, statistics - 8% of refusals
  • 17(3)(c) Public interest in public health - rare in practice

The request workflow

An effective Article 17 request has five components: clear identification of the data subject, identification of the controller, specific identification of the data to be erased (or a clear scope description if specific identification is impossible), reference to the legal ground under 17(1), and a request for written confirmation of the action taken.

Controllers must respond 'without undue delay' and in any event within one month of receipt (Art. 12(3)). The period may be extended by two further months where necessary, taking into account the complexity and number of requests, but the controller must inform the data subject of any extension within one month with reasons. Failure to respond is itself an Article 12 violation independent of any Article 17 issue.

Where the controller refuses, it must inform the data subject of the reasons for refusal, the right to lodge a complaint with a supervisory authority, and the right to seek a judicial remedy. A refusal without these three elements is procedurally defective and frequently overturned on supervisory-authority review.

Article 17(2): the public-data notification obligation

Where a controller has made personal data public and is obliged to erase under 17(1), Article 17(2) requires the controller to take 'reasonable steps, including technical measures, to inform other controllers which are processing the personal data' that the data subject has requested erasure of links, copies, or replications.

What counts as 'reasonable steps' is determined by the technology available, the cost of implementation, and the proportionality of the obligation. The European Data Protection Board's Guidelines 5/2019 on Article 17 say that controllers must consider directly contacting known recipients (where identifiable), publishing notices in machine-readable formats accessible to search engines, and using established notification protocols where they exist.

Article 17 is one of the most-enforced GDPR provisions: €312 million in aggregate fines in 2024 alone, with the most common controller mistake being non-response to valid requests. A clean intake-and-response workflow is the cheapest compliance investment a controller can make.

Common controller mistakes that cause fines

First, ignoring the request entirely. Non-response to a valid Article 17 request is the single most-fined behavior. The Italian Garante, the French CNIL, and the German Bundesbeauftragte have all imposed six- and seven-figure fines on controllers that simply did not respond. The fix is procedural: every controller should have a documented intake, triage, and response workflow.

Second, refusing without legal basis. Controllers that refuse erasure citing 'business necessity' or 'internal policy' without identifying a specific Article 17(3) exemption are overwhelmingly overturned and frequently fined. Third, partial compliance without explanation. Fourth, missing the 17(2) downstream-notification obligation. Controllers focus on erasing their own copy and forget the public-data notification duty.

Enforcement data: what supervisory authorities do

Article 17 is one of the most-enforced GDPR provisions. The European Data Protection Board's 2024 enforcement summary shows €312 million in aggregate Article 17 fines, distributed across all 30 EU/EEA jurisdictions, with the largest single fines from the Irish Data Protection Commission (against Meta), the French CNIL (against TikTok and Google), and the Italian Garante (against multiple data brokers).

Outside the headline platform cases, ordinary controllers face enforcement primarily through supervisory-authority complaint processes. A data subject who is unsatisfied with a controller's response can lodge a complaint with the supervisory authority of their habitual residence, place of work, or the alleged infringement. Median time from complaint to decision in the published 2024 data was 7.4 months.

How Article 17 differs from CCPA, LGPD, and other regimes

California's CCPA and its CPRA amendment provide a right to deletion (§§ 1798.105) that is similar in principle but narrower in scope. Brazil's LGPD provides a right to erasure (Art. 18(VI)) closely modeled on Article 17 with similar exemptions. Quebec's Law 25, Switzerland's revised FADP, and several US state privacy laws all include deletion rights with varying scope.

Two structural differences affect cross-border practice. First, the GDPR's six grounds are exhaustive - any of them can support a request. Most US state laws require the data subject to make a generic deletion request without specifying a ground. Second, the GDPR's downstream-notification obligation under Article 17(2) is more demanding than the equivalent provisions in most US state laws. Multinational controllers typically build their workflow to GDPR standards and treat compliance with other regimes as a subset.

Practical request template

  • Subject line: 'GDPR Article 17 Request for Erasure - [Your Name]'
  • Identification: full legal name, any usernames or account identifiers, country of residence
  • Scope: specific data to erase (or scope description if specific identification is impossible)
  • Legal ground: identify which Article 17(1) ground applies (most common: (a) no longer necessary or (c) successful Article 21 objection)
  • Article 17(2) request: where data was made public, request that the controller take reasonable steps to inform downstream recipients
  • Response request: written confirmation of actions taken within the one-month statutory period
  • Reservation: reservation of the right to lodge a complaint with the supervisory authority and to seek judicial remedy
#Reputation Law
Robiul Alam
Written by
Robiul Alam
Founder & Chief Reputation Officer
View profile →

Keep reading

All insights