What is the right to be forgotten in GDPR?

Mateusz Zimoch
For obvious reasons, consumers don't want companies and institutions to process their personal data indefinitely. For example, when they terminate the agreement or stop subscribing to a specific service, they usually wish the company to stop processing information about them. That's the so-called right to be forgotten. What do you need to know about it in the context of GDPR?

Internet users are more concerned about the "right to be forgotten" since the general data protection law (GDPR) came into effect in recent years. It is important to understand how to "right to be forgotten" actually works.

Compliance with the right to be forgotten can be complicated, just like it happens with every other part of the GDPR. There are implications for both the data subject and the organization seeking to use personal data or sensitive information about an individual. All European Union (EU) businesses should be familiar with the legal obligations under the GDPR and comprehend the right to be forgotten.

What is meant by the right to be forgotten?

The right to erasure is what Article 17 of the GDPR is known for, although it is more popularly known as the right to be forgotten. According to article 17, a person has the right to ask a data controller to delete all of their personal data without unnecessary delay and without charging anything. This includes any files or information that may have been transferred into an archive, including:

  • Duplicated copies
  • Backup copies
  • Database records
  • Other forms of personal data

The terms of the data controller and data processor are explicitly explained in GDPR. The party legally in charge of keeping digitally stored personal data is known as the data controller. The organization that stores or processes personal data but does not take ownership of or control over the data is known as a data processor. Typically, a cloud provider is regarded as a data processor in the GDPR context.

Data cannot be stored in copies or made accessible for other purposes by the data processor. Therefore, the decision-making process is not the data controller's responsibility; rather, it is their responsibility to delete the personal data, ensure that it has been deleted, and carry out all the necessary procedures.

All companies and organizations conducting business in the European Union must be able to comply with the regulation's right to erasure. Otherwise, they face the risk of massive fines.

Deleting the personal data

A citizen of the EU has the right, under GDPR, to request any company or institution to delete their personal data if:

  • Data no longer pertains to the purpose for which it was gathered.
  • A person withdraws their permission to the organization's use of their data (and if there is no other legal basis for the organization's collection of the data).
  • The individual objects to having their information gathered for marketing purposes or where their rights outweigh the legal reasons for obtaining the information (such as when it involves sensitive information about a child).
  • The data was handled improperly.
  • The deletion of the data is required to meet a legal requirement.
  • The information was exchanged for "information society services" and belonged to a child.

Exemptions from the "right to be forgotten"

There are several circumstances in which a business can assert that it is exempt from the rule or that it is genuinely necessary to keep a person's data. However, the criteria for such a request are open-ended. People have the option to seek deletion if they feel there is no justifiable basis for a business to handle their data, if they object to the processing, or if they simply withdraw their permission for the processing.

Video surveillance and CCTV under the GDPR

Information about a natural person that identifies them is referred to as personal data. Therefore, video images might be regarded as personal data. Commercial CCTV systems are an example of how businesses use video footage of a person to process personal data.

Data subjects are those who are being monitored. They are entitled to subject data. The controller must respond if they decide to exercise their data subject rights. All of the rights provided by the GDPR apply to data subjects. But when it comes to video surveillance, particular consideration must be given to the rights of access, deletion, and object. You can protect yourself if you have been subjected to video surveillance by making a data subject request.

Any business or person running a surveillance system is categorized as a data controller or processor and, as such, has legal obligations. Your company must be ready to justify the gathering and use of personal data through a video surveillance system as a data controller.

Therefore, your company must verify how it uses video surveillance equipment when it comes to complying with GDPR provisions. Sometimes, video anonymization will be necessary.

If you process videos and images containing personal data (faces, license plates), and you need to anonymize it, you can do that easily using our platform.


The right to be forgotten is a recently developed legal notion that has significant consequences for privacy, free speech, and Internet regulations. Businesses should be aware that the right to erasure does not give an absolute "right to be forgotten" when they receive requests for the right to be forgotten. In other words, you don't have to remove the data if it has a valid use or if you have an important reason to keep it in your records.

Read more about the right to be forgotten: https://www.techtarget.com/searchcontentmanagement/definition/The-right-to-be-forgotten