Lexicon > Right to erasure

IT Glossary

Right to erasure

The right to erasure of personal data is one of the seven rights that data subjects have over their personal data enshrined in the GDPR, namely:

Under the right to erasure, the data subject may request the controller to erase personal data relating to him or her processed by the controller as soon as possible and in any event within one month of receipt of the request.

However, this right is not absolute. The person concerned can only request it when:

  • His/her data are no longer necessary for the purposes for which they were collected or otherwise processed;
  • The data subject withdraws the consent on which the processing is based, and there is no other legal basis;
  • The data subject exercises his/her right to object to the processing, and there are no compelling legitimate grounds for the processing;
  • His personal data have been processed unlawfully;
  • A legal obligation provides;
  • Its data was collected as part of the information society service offering.

In addition, when the responsible for the treatment has made the personal data, and is required to delete it, it must, taking into account available technology and implementation costs, take reasonable steps, including technical steps, to inform data controllers who process these data that the data subject has requested the deletion of any links to them as well as of any copies or reproductions.

Finally, the exercise of the right to erasure may be refused by the controller when the personal data processed are necessary:

  • To the exercise of the right to freedom of expression and information;
  • To comply with a legal obligation or to perform a public interest mission;
  • For reasons of public interest in the field of public health;
  • For archival purposes in the public interest, for scientific, historical or statistical research;
  • The establishment, exercise or defense of legal rights.


Provision should be made to facilitate the exercise by the data subject of his or her rights under this Regulation, including the means of requesting and, where appropriate, obtaining free of charge, inter alia, access to and rectification or erasure of personal data and the exercise of a right of objection. The controller should also provide the means to make requests electronically, especially where personal data are processed electronically. The controller should be obliged to respond to requests from the data subject as soon as possible and at the latest within one month and to give reasons for not responding to such requests.

Recital 59 of the GDPR

Point of jurisprudence

The CNIL was able to heavily sanction a company on the grounds “that the complainant did not receive any response from the company regarding the deletion of her data that she had requested from the company.

However, since the Commission considers that there is no valid legal basis for the processing carried out under the European regulations, the deletion was legal. This constitutes a breach of Standing Order 17.

CNIL, November 26, 2021, N°MED-2021-134

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.