Why Not All Personal Data Must Be Deleted Upon Request

A common misunderstanding under the GDPR is that any individual can demand their data be deleted at any time. While the regulation does provide a right to erasure—also known as the “right to be forgotten”—this right is subject to clearly defined conditions and exceptions outlined in Article 17.

For CIPP/E candidates, this is a core area to master. Real-world scenarios and exam questions often test knowledge of data subject rights and the boundaries of those rights. Knowing when erasure is required, optional, or lawfully denied is key to both compliance and certification success.

Introduction to the Right to Erasure Under the GDPR

The right to erasure is enshrined in Article 17 of the GDPR. It grants individuals the ability to request the deletion of their personal data, but only under certain conditions. This right is powerful but not unlimited.

The GDPR intentionally balances data subject rights with other lawful obligations and societal interests. Understanding these limitations is crucial for privacy professionals, particularly those preparing for the CIPP/E exam, where these nuances frequently appear in complex scenarios involving conflicting legal bases or exemptions.

Understanding the Right to Erasure (Article 17)

Under Article 17, the right to erasure applies when personal data is no longer needed for its original purpose, when consent is withdrawn and no other legal basis exists, or when processing is found to be unlawful. It also applies when there’s a legal obligation to erase the data.

This right is closely tied to other GDPR principles, such as data minimization and purpose limitation. In practice, however, its application must be assessed against other GDPR provisions and sector-specific obligations. According to GDPRhub, the right is conditional, and regulators have consistently emphasized that it must be balanced with competing rights and duties.

Grounds for Granting a Deletion Request

There are several well-defined circumstances where personal data must be erased. These include cases where the data subject withdraws consent and no other lawful basis remains, or where data is no longer necessary for the original purpose for which it was collected. Unlawful processing also justifies deletion, as does a legal obligation to remove the data.

Yet even when these grounds seem to apply, controllers must assess the request carefully to confirm there are no overriding reasons to retain the data.

When the Right to Erasure Does Not Apply

Despite the strength of the erasure right, the GDPR outlines situations where organizations may lawfully deny a deletion request. Data must be retained when processing is necessary for legal compliance, to serve the public interest, or to support archiving purposes related to research or statistics. It is also valid to reject erasure if the data is required for the establishment, exercise, or defense of legal claims.

As the ICO explains, organizations are required to balance individual rights with these other interests. The GDPR doesn't favor erasure over compliance or legal necessity—it mandates a fair and documented evaluation.

Right to Be Forgotten in the Context of Search Engines

The right to be forgotten gained prominence after the 2014 Google Spain ruling, where the European Court of Justice determined that individuals could request search engines to delist results tied to their name under specific conditions. However, this decision didn’t grant a blanket deletion right.

According to EDPB Guidelines 5/2019, search engines must assess whether links are outdated, inaccurate, or excessive—and then balance the individual’s privacy against the public’s right to access information.

Importantly, these cases often involve delisting rather than complete deletion, demonstrating that erasure must be tailored to context.

Practical Considerations for Organizations

When an organization receives an erasure request, it must evaluate the legal basis for the original processing and determine if any retention requirements apply. Confirming the identity of the requester is a necessary first step to ensure the request is legitimate and specific to the individual concerned.

Organizations should consult their data retention policies to assess whether a legal or contractual requirement prevents deletion. Where retention is required, the organization must clearly communicate its justification to the individual, maintaining transparency and compliance with the accountability principle in Article 5.

The Dutch DPA recommends documenting the rationale behind each response to an erasure request, especially when denying the request due to overriding legal grounds.

CIPP/E Exam Relevance and Real-World Application

CIPP/E candidates will often encounter case studies where they must evaluate whether an erasure request is valid. These scenarios test not only the candidate’s understanding of Article 17 but also their ability to apply it within a broader legal and ethical framework.

Candidates must be able to distinguish between required and discretionary deletion, and explain exceptions with precision. Familiarity with the structure and language of the GDPR—as provided by GDPR-Info.eu—will aid in interpreting exam questions and applying those insights to professional practice.

The Right to Erasure Comes with Boundaries

The GDPR offers strong rights to individuals, but the right to erasure is not without limits. Controllers must weigh requests against legal duties, public interests, and the practical needs of data governance.

For privacy professionals—and especially CIPP/E candidates—understanding both the power and the limits of Article 17 is vital. Knowing when data must be erased, when it may be retained, and how to respond transparently will ensure compliance and build trust with data subjects.