Right to Erasure (Article 17) – Comprehensive Guide for CIPP/E Exam Preparation
Introduction
The Right to Erasure, often referred to as the Right to Be Forgotten, is one of the most significant and widely discussed data subject rights under the General Data Protection Regulation (GDPR). Enshrined in Article 17, this right empowers individuals to request that controllers delete their personal data under specific circumstances. For anyone preparing for the CIPP/E exam, a thorough understanding of Article 17 — including its scope, grounds, exceptions, and practical application — is essential.
Why Is the Right to Erasure Important?
The Right to Erasure is important for several key reasons:
1. Empowerment of Data Subjects: It gives individuals meaningful control over their personal data by allowing them to request deletion when processing is no longer justified.
2. Data Minimisation Principle: It reinforces the GDPR's data minimisation principle (Article 5(1)(c)), ensuring organisations do not retain personal data beyond what is necessary.
3. Trust and Transparency: By providing individuals with the ability to have their data removed, organisations build trust and demonstrate accountability.
4. Historical Significance: The right gained prominence following the landmark Google Spain SL v. Agencia Española de Protección de Datos (AEPD) case (C-131/12, 2014), in which the Court of Justice of the European Union (CJEU) ruled that individuals could request search engines to de-index certain results linked to their name.
5. Balancing Rights: It creates a framework for balancing an individual's privacy interests against other fundamental rights such as freedom of expression and information.
What Is the Right to Erasure (Article 17)?
Article 17(1) of the GDPR provides that the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(b) The data subject withdraws consent on which the processing is based (under Article 6(1)(a) or Article 9(2)(a)), and there is no other legal ground for the processing.
(c) The data subject objects to the processing pursuant to Article 21(1) (legitimate interests ground) and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes under Article 21(2).
(d) The personal data have been unlawfully processed.
(e) The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(f) The personal data have been collected in relation to the offer of information society services directly to a child under Article 8(1).
How Does the Right to Erasure Work in Practice?
Step 1: Receiving the Request
A data subject submits an erasure request to the controller. There is no prescribed form — it can be made verbally or in writing. Controllers should have clear procedures for receiving and logging such requests.
Step 2: Verification of Identity
The controller must verify the identity of the person making the request, particularly if there are reasonable doubts. However, controllers should not request excessive information for verification purposes.
Step 3: Assessment of Grounds
The controller must assess whether one of the six grounds under Article 17(1) applies. This is a critical step that requires careful analysis of the legal basis for processing, the purpose of retention, and any applicable exceptions.
Step 4: Considering Exceptions (Article 17(3))
Even where one of the grounds for erasure applies, the right does not apply to the extent that processing is necessary for:
• (a) Exercising the right of freedom of expression and information.
• (b) Compliance with a legal obligation which requires processing by Union or Member State law, or for the performance of a task carried out in the public interest or in the exercise of official authority.
• (c) Reasons of public interest in the area of public health (Articles 9(2)(h) and (i) and Article 9(3)).
• (d) Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes (Article 89(1)), insofar as erasure would seriously impair the objectives of such processing.
• (e) The establishment, exercise, or defence of legal claims.
Step 5: Taking Action
If the erasure request is valid and no exception applies, the controller must erase the data without undue delay and, in any event, within one month of receipt of the request. This period can be extended by a further two months where necessary, taking into account the complexity and number of requests, but the data subject must be informed of the extension within the first month.
Step 6: Notification to Third Parties (Article 17(2))
Where the controller has made the personal data public, Article 17(2) requires the controller to take reasonable steps, including technical measures, to inform other controllers processing those data that the data subject has requested erasure of any links to, copies of, or replications of that data. This obligation takes into account available technology and the cost of implementation.
Step 7: Notification Under Article 19
Article 19 further requires the controller to communicate the erasure to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller must inform the data subject about those recipients if the data subject requests it.
Key Concepts and Nuances to Understand
1. Relationship with the Right to Object (Article 21):
Ground (c) of Article 17(1) links directly to Article 21. If a data subject objects to processing based on legitimate interests (Article 6(1)(f)) and the controller cannot demonstrate overriding legitimate grounds, the erasure right is triggered. For direct marketing objections under Article 21(2), there is an absolute right — no balancing test is required, and erasure follows automatically.
2. Children's Data:
Ground (f) highlights the GDPR's enhanced protection for children. Where data was collected from a child in the context of information society services, the right to erasure applies with particular force, reflecting the idea that a child may not have been fully aware of the risks of processing at the time consent was given.
3. Scope of Erasure:
Erasure means the complete destruction of the data so it can no longer be processed or accessed. This includes data in backups, although controllers may argue that erasure from backup systems is technically challenging and may take a reasonable additional period, provided the data is no longer actively processed.
4. Refusal and Communication:
If the controller refuses the request, it must inform the data subject without undue delay and at the latest within one month of the reasons for the refusal and the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
5. No Fee (Generally):
The right to erasure is exercised free of charge. However, under Article 12(5), where requests are manifestly unfounded or excessive, particularly because of their repetitive character, the controller may either charge a reasonable fee or refuse to act on the request.
6. Google Spain Legacy:
The Google Spain judgment predates the GDPR but heavily influenced Article 17. In the CJEU's subsequent ruling in Google LLC v. CNIL (C-507/17, 2019), the court held that the right to de-referencing does not require a search engine operator to carry out de-referencing on all versions of its search engine globally — it is limited to EU versions, though the operator must take measures to discourage EU users from accessing non-EU versions.
Practical Scenarios for Exam Preparation
Scenario 1: A user deletes their social media account and requests erasure of all their data. The platform must assess whether it has any other legal basis (e.g., legal obligations to retain certain transaction records) before fully erasing all data.
Scenario 2: A former employee requests erasure of their employment records. The employer may rely on the exception under Article 17(3)(b) (legal obligation) or Article 17(3)(e) (legal claims) if retention is necessary for compliance with employment law or potential litigation.
Scenario 3: A data subject asks a search engine to de-index results about a past criminal conviction. The search engine must balance the right to erasure against freedom of expression and the public's right to information, considering factors such as the nature of the offence, the time elapsed, and the data subject's public role.
Exam Tips: Answering Questions on Right to Erasure (Article 17)
Tip 1: Know the Six Grounds Inside Out
Memorise the six grounds under Article 17(1)(a)–(f). Exam questions often present a factual scenario and ask you to identify which ground applies. Practice mapping facts to each ground systematically.
Tip 2: Always Consider the Exceptions
After identifying a ground for erasure, always check whether an exception under Article 17(3) applies. A common exam trap is presenting a scenario where erasure seems straightforward but an exception (such as legal claims or legal obligation) overrides the right. The examiners want to see that you can apply the balancing test.
Tip 3: Understand the Link Between Article 17 and Article 21
Questions may interweave the right to object with the right to erasure. Remember that a successful objection under Article 21(1) triggers the right to erasure under Article 17(1)(c), but only if no overriding legitimate grounds exist. For direct marketing, the objection is absolute and erasure follows without any balancing.
Tip 4: Remember Article 17(2) — the Public Disclosure Obligation
If the scenario involves data that has been made public (e.g., published online), you need to address the controller's duty to take reasonable steps to notify other controllers. This is a frequently tested element that distinguishes thorough answers from incomplete ones.
Tip 5: Discuss Time Limits and Procedural Requirements
Reference the one-month response period from Article 12(3), the possibility of a two-month extension, and the requirement to inform the data subject if the request is refused. Demonstrating knowledge of procedural requirements shows depth of understanding.
Tip 6: Reference Key Case Law
Where relevant, mention Google Spain (C-131/12) and Google v. CNIL (C-507/17). These cases are foundational to understanding the right to erasure in the context of search engines and the territorial scope of de-referencing obligations.
Tip 7: Distinguish Erasure from Other Rights
Be clear about how the right to erasure differs from the right to restriction of processing (Article 18). Restriction means the data is retained but not actively processed, whereas erasure means complete deletion. Some scenarios may require restriction rather than erasure — for example, where the accuracy of data is contested.
Tip 8: Consider Children's Data Specifically
If the question involves a minor or data collected from a child in the context of online services, highlight Article 17(1)(f) and the GDPR's enhanced protections. Recital 65 emphasises that the right to erasure is particularly relevant where consent was given as a child and the data subject later wishes to remove the data.
Tip 9: Address Technical and Practical Challenges
In essay-style or scenario-based questions, it can be valuable to acknowledge the practical challenges of erasure, such as data stored in backup systems, distributed databases, or data shared with multiple processors. This shows a mature understanding of the real-world application of Article 17.
Tip 10: Structure Your Answer Clearly
For any Article 17 question, use a clear structure: (1) identify the ground(s) for erasure, (2) check for exceptions, (3) address procedural requirements (time limits, notification to third parties), and (4) reach a conclusion. This systematic approach ensures you cover all necessary elements and maximise your marks.
Summary
The Right to Erasure under Article 17 of the GDPR is a cornerstone data subject right that reflects the regulation's commitment to individual control over personal data. It applies across six specified grounds, but is subject to important exceptions that protect competing interests such as freedom of expression, public health, and the defence of legal claims. For the CIPP/E exam, mastering the interplay between the grounds for erasure, the exceptions, related articles (particularly Articles 12, 19, and 21), and key CJEU case law will ensure you can tackle any question on this topic with confidence and precision.
