Right to Erasure

The data subject right under GDPR Article 17 to have personal data deleted under specific circumstances, also known as the right to be forgotten. Erasure must occur when: data is no longer necessary for processing purposes, consent is withdrawn (if consent was the legal basis), the data subject objects and no overriding legitimate grounds exist, processing was unlawful, erasure is required by legal obligation, or data relates to children's information society services. Exceptions preserve the right to freedom of expression, legal obligations, public interest tasks, public health purposes, archiving/research purposes, or legal claims. Controllers must erase data and take reasonable steps (considering cost and technology) to inform other controllers processing the data about the erasure request. Organizations should implement secure deletion processes ensuring data is removed from live systems, backups, and third-party processors. Erasure doesn't necessarily mean physical destruction immediately—organizations may mark data for deletion and remove it during next backup cycles if security isn't compromised.