Right to be Forgotten (EU)

The right under GDPR Article 17 for individuals to request the erasure of their personal data when it's no longer necessary, consent is withdrawn, or the data was unlawfully processed, subject to specific exceptions for legal obligations, public interest, and legal claims.

What Is the Right to be Forgotten?

Key Takeaways

  • The right to be forgotten (formally the "right to erasure") is established by GDPR Article 17 and the UK GDPR. It gives individuals the right to request that an organisation delete their personal data in certain circumstances.
  • The right isn't absolute. It must be balanced against other legal obligations, public interest considerations, freedom of expression, legal claims, and archiving purposes.
  • In an employment context, erasure requests most commonly arise from former employees and unsuccessful job applicants. Current employees rarely request erasure because their data is needed for the ongoing employment relationship.
  • Employers must respond to erasure requests within 30 days (one calendar month). If the request is complex, the deadline can be extended by a further 2 months, but the individual must be notified of the extension within the first month.
  • The right originated in the CJEU's 2014 Google Spain ruling, where the Court held that individuals could request search engines to de-index results containing their personal data under certain conditions.

The name "right to be forgotten" is slightly misleading. It doesn't mean an organisation must erase every trace of a person's existence. It means that in specific situations, personal data must be deleted when the individual requests it and no overriding legal ground justifies retaining it. For HR teams, this right creates a practical challenge: how do you respond to erasure requests while still meeting legal retention obligations? An employee's tax records can't be deleted just because they ask, since tax law requires retention. But their photo from the company newsletter, their data in the HRIS after the retention period has expired, or their records from a voluntary wellness programme can and should be deleted when the right applies. The right to erasure is closely linked to data minimisation and storage limitation principles. If you only collect what you need and delete it when you no longer need it, most erasure requests become straightforward because the data either shouldn't exist anymore or is still subject to a valid retention requirement.

Article 17GDPR article establishing the right to erasure (commonly called the 'right to be forgotten')
6Grounds on which an individual can request erasure of their personal data under Article 17(1)
30 daysMaximum time to respond to an erasure request (one calendar month, extendable by 2 months for complex cases)
2014Year the CJEU established the right to be forgotten in Google Spain v AEPD, before GDPR codified it

Six Grounds for Requesting Erasure

Article 17(1) lists six grounds on which an individual can request deletion of their personal data. At least one must apply for the right to be triggered.

GroundArticle ReferenceHR Example
Data no longer necessary for its original purposeArt. 17(1)(a)An unsuccessful applicant's CV 12 months after the recruitment process ended
Consent withdrawnArt. 17(1)(b)An employee withdraws consent for their photo to be used on the company website
Individual objects to processing (and no overriding grounds exist)Art. 17(1)(c)A former employee objects to their data being used for HR analytics benchmarking
Data was unlawfully processedArt. 17(1)(d)Employee data was collected without a lawful basis or processed beyond the stated purpose
Erasure is required to comply with a legal obligationArt. 17(1)(e)EU or member state law requires the data to be deleted after a specific period
Data was collected from a child in relation to information society servicesArt. 17(1)(f)Rarely relevant in employment, but applies to online services offered to minors

When Employers Can Refuse Erasure

Article 17(3) lists five exceptions where the right to erasure doesn't apply, even if one of the six grounds is met. These exceptions are critical for HR teams managing legal retention obligations.

Legal obligation (Article 17(3)(b))

Employers can refuse erasure when they're legally required to keep the data. Tax records (typically 6 years in the UK, varying periods in EU member states), payroll records, health and safety documentation, pension records, and statutory reports all fall under this exception. The legal obligation must be specific and identifiable. A vague claim that "we might need it for legal purposes" isn't sufficient.

Legal claims (Article 17(3)(e))

Data that's necessary for the establishment, exercise, or defence of legal claims can be retained. This is particularly relevant during the limitation period for employment claims. In the UK, unfair dismissal claims must be brought within 3 months, but discrimination claims and breach of contract claims have longer limitation periods (up to 6 years). Employers commonly retain employment records for 6 years after the employment relationship ends to cover potential litigation. Once the limitation period expires and no claim is pending, this exception no longer applies.

Freedom of expression and information (Article 17(3)(a))

This exception protects journalistic, academic, artistic, and literary processing. It's rarely relevant in a standard HR context but could apply to internal publications, research, or historical archives.

Public health and archiving (Article 17(3)(c) and (d))

Data processed for public health purposes (such as occupational health screening data required by public health law) or for archiving purposes in the public interest, scientific or historical research, or statistical purposes can be retained. The archiving exception has strict conditions: the erasure must be likely to render impossible or seriously impair the achievement of the archiving objectives.

How to Handle Erasure Requests in HR

A structured process helps HR teams respond correctly and on time.

Receiving and assessing the request

An erasure request doesn't need to mention GDPR or Article 17. "Please delete all my data" is a valid request. When received, log the date (starting the 30-day clock), verify the requester's identity, identify which ground(s) the request falls under, and assess whether any exceptions apply. If the request is partially valid (some data should be deleted, some must be retained), respond accordingly: delete what you can, explain what you're keeping and why.

Executing the deletion

Deletion means actually removing the data so it can't be retrieved, not just marking it as inactive. Check all systems: HRIS, email (including archived folders), shared drives, backup tapes (where practicable), paper files, third-party processors, and any analytics or reporting databases. Inform all third parties to whom the data was disclosed (Article 17(2) requires this). If the data was made public (for example, an employee profile on the company website), take reasonable steps to inform other controllers processing that data. Document what was deleted, from which systems, and on what date.

Responding to the individual

Respond within 30 days. If you've complied fully, confirm what data was deleted. If you've partially complied, explain what was deleted and what was retained (with reasons for retention, citing the specific Article 17(3) exception). If you've refused entirely, explain the grounds for refusal and inform the individual of their right to complain to the supervisory authority (ICO in the UK, relevant DPA in EU member states). The response must be in clear, plain language.

Common Erasure Request Scenarios in HR

These scenarios illustrate how the right to erasure applies in typical HR situations.

Former employee requests deletion of all records

You must assess each data category separately. Tax and payroll records: retain for the legally mandated period (typically 6 years). Contract and disciplinary records: retain for the limitation period for legal claims (typically 6 years after the employment relationship ends). Emergency contact information: delete (no longer necessary). Photos and social media posts: delete unless a separate legal basis applies. Training records: delete unless legally required. HRIS profile data beyond legal retention: delete. Respond confirming what was deleted and what's being retained under Article 17(3)(b) and (e).

Unsuccessful job applicant requests deletion

If your retention period for unsuccessful applicant data has expired (typically 6 to 12 months), delete the data. The original purpose (recruitment) has been fulfilled, and no exception applies. If the retention period hasn't expired, you may retain the data for the remainder of the period (citing legitimate interests or legal claims defence). If the applicant gave consent for future opportunities and now withdraws it, delete the data stored under that consent. Recruitment agencies holding the data on your behalf must also be notified.

Current employee requests deletion of specific data

A current employee's request is more complex because most data is needed for the ongoing employment relationship. If they request deletion of data that's necessary to perform the contract (payroll details, contact information), you can refuse under Article 17(3). If they request deletion of data collected for a separate, optional purpose (wellness programme participation, non-mandatory photos, voluntary survey responses), and consent was the lawful basis, the erasure must be carried out.

The Backup and Archive Dilemma

One of the most practical challenges with the right to erasure is handling data stored in backups and archives.

Are backups included?

Yes, in principle. The GDPR doesn't exclude backups from erasure obligations. However, the ICO and several EU supervisory authorities have acknowledged that deleting specific records from backup tapes can be technically difficult or impossible without restoring the entire backup. The pragmatic approach (endorsed by the ICO): if data can't be deleted from backups immediately, ensure it's "quarantined" so it won't be restored or processed. When the backup is due for overwriting or deletion according to your backup retention schedule, the data will be removed. Document this approach and explain it to the individual.

Cloud services and third-party processors

If the data is held by a cloud HR system, payroll provider, or other processor, the employer (as controller) must instruct the processor to delete the data. Check data processing agreements for deletion provisions and timelines. Some cloud providers retain data in backups for extended periods after "deletion" from the live system. Understand your provider's deletion architecture and ensure it aligns with your obligations.

Building an Erasure-Ready Retention Policy

The easiest way to handle erasure requests is to have a clear data retention policy that already defines when data should be deleted.

  • Map every category of HR data: recruitment, onboarding, payroll, performance, disciplinary, health and safety, training, benefits, and offboarding.
  • Assign a retention period to each category based on legal requirements, business necessity, and industry standards.
  • Identify the lawful basis for each processing activity. Data processed under consent is most vulnerable to erasure requests (consent can be withdrawn at any time).
  • Automate deletion where possible. Configure your HRIS to flag or auto-delete records when their retention period expires.
  • Document exceptions: data retained for pending or anticipated legal claims, regulatory investigations, or audit purposes.
  • Review and update the retention schedule annually. Legal retention requirements change, and new data categories emerge as HR technology evolves.
  • Train HR staff to understand the retention schedule and to apply it consistently. Inconsistent retention (keeping some records longer than others for no reason) undermines the defensibility of the entire policy.

Right to Erasure Statistics [2026]

Data on how erasure requests are handled across the EU and UK.

12,900+
Erasure-related complaints received by EU supervisory authorities in 2023European Data Protection Board, 2024
30 days
Standard deadline for responding to an erasure requestGDPR Article 12(3)
70%
Of Google's right-to-be-forgotten requests (search de-indexing) are granted in full or in partGoogle Transparency Report, 2024
EUR 20M
Maximum fine for failure to comply with data subject rights including erasureGDPR Article 83(5)

Frequently Asked Questions

Does the right to be forgotten mean an employer must delete everything?

No. The right is subject to several exceptions. Employers can (and must) retain data required by law (tax records, pension records, health and safety documentation). They can also retain data needed to defend legal claims during the relevant limitation period. The right applies to data that's no longer necessary, was collected under consent that has been withdrawn, or was unlawfully processed. Each data category must be assessed separately.

Can a former employee demand deletion of their references?

References given by the employer to a third party don't need to be deleted from the recipient's systems in response to a request to the employer. The employer only controls data in its own systems. References held by the employer (copies of references given, or references received about the individual) should be assessed under the retention policy. References received in confidence are also exempt from subject access requests under UK law (DPA 2018, Schedule 2, Part 4, Para 24), though this exemption doesn't extend to the right to erasure.

How does the right to be forgotten apply to search engines?

The right originated in the Google Spain case (2014), where the CJEU ruled that individuals could request search engines to de-index search results containing outdated or irrelevant personal data. GDPR Article 17 codified this. If an employer's website contains personal data about a former employee (a staff directory listing, a blog post, a press release), the individual can request the employer to remove it. They can also separately request search engines to de-index the page. The two rights are independent.

What if the employer has already shared the data with third parties?

Article 17(2) requires the controller to take "reasonable steps" to inform other controllers to whom the data was disclosed that the individual has requested erasure. For HR, this means notifying payroll providers, benefits platforms, recruitment agencies, occupational health providers, and any other third parties who received the data. "Reasonable steps" includes considering available technology, the cost of implementation, and the feasibility of notifying all recipients. Keeping a record of data disclosures makes this obligation much easier to fulfil.

Can an employer proactively delete data before being asked?

Yes, and they should. Proactive deletion through a well-implemented retention policy is a core GDPR obligation (storage limitation principle). Organisations shouldn't wait for erasure requests to delete data that's no longer needed. If your retention schedule says recruitment data is deleted after 12 months, implement automated processes to delete it. This reduces the volume of data that could be the subject of an erasure request and demonstrates good data governance.

Is there a penalty for refusing a valid erasure request?

Yes. Refusing a valid erasure request is a breach of GDPR Article 17, which falls under the higher tier of fines: up to EUR 20 million or 4% of global annual turnover, whichever is higher. In practice, supervisory authorities typically start with warnings and reprimands before imposing fines for first-time failures, unless the refusal is deliberate or part of a pattern. Individuals can also claim compensation for distress caused by the failure to comply (Article 82).
Adithyan RKWritten by Adithyan RK
Surya N
Fact-checked by Surya N
Published on: 25 Mar 2026Last updated:
Share:
Previous
Next