Right to Erasure (Article 17 GDPR)
Also known as the 'right to be forgotten' — limited by statutory retention obligations
TL;DR
The right to erasure under Article 17 GDPR (also known as the 'right to be forgotten') grants data subjects the right to obtain the erasure of their data without undue delay. It applies where: processing is no longer necessary, consent has been withdrawn, an objection has been raised without overriding grounds, or processing has been unlawful. It is limited by statutory retention obligations (German Commercial Code (HGB), Fiscal Code (AO), Social Code (SGB)).
What is the Right to Erasure (Article 17 GDPR)?
Article 17 (1) lists 6 grounds for erasure. Article 17 (3) provides exceptions: statutory retention obligations, legal defense, public interest, and research. Practical conflict: the German Commercial Code (HGB) and the Fiscal Code (AO) require 10 years of retention — the erasure claim is therefore not enforceable to that extent. Solution: restrict processing instead of deleting, then delete after the retention period.
Practical example
Example: a customer requests erasure of their order history. The controller checks: - Active business relationship? No → no legitimate interest - Accounting retention? 10 years → restrict processing instead of deletion - Marketing newsletter? Immediate erasure possible