Article 17 of the EU General Data Protection Regulation gives any data subject a legal right to ask a controller to delete their personal data, with a binding obligation on the controller to comply unless one of a narrow set of exemptions applies. The same right exists under the UK GDPR, which mirrored the EU text after Brexit. Together they reach virtually every business that processes personal data of EU or UK residents, regardless of where the business is based.
Article 17 is sometimes confused with the Google-specific "right to be forgotten" remedy that flows from Google Spain v. AEPD (2014). The two are related but distinct. Article 17 is the broader statutory right to deletion of personal data held by any controller. The Google delisting right is a specific application against search engines that index third-party content. This guide covers Article 17 itself; the search-engine delisting framework is covered separately in the right-to-be-forgotten article.
Across the European Data Protection Board's published 2024 enforcement summary, Article 17 violations accounted for 14% of all GDPR fines (€312 million in aggregate). The largest were against social-media platforms and data brokers that delayed or refused valid erasure requests. The data shows that controllers that build a clean Article 17 workflow rarely face enforcement; controllers that improvise face significant fines.
What Article 17 says, in plain English
Article 17(1) gives the data subject the right to obtain from the controller the erasure of personal data concerning them "without undue delay," and creates a corresponding obligation on the controller to erase, where one of six grounds applies. Those six grounds are the entire substantive basis of the right.
Article 17(2) creates a separate obligation that has been the most expensive in practice: when the controller has made the personal data public and is obliged to erase it under 17(1), the controller must take "reasonable steps" to inform other controllers processing the data that the data subject has requested erasure of links, copies, or replications.
Article 17(3) lists the exemptions - the situations in which the controller may refuse erasure even where one of the 17(1) grounds applies. These are the most contested provisions in practice.
- The data is no longer necessary for the purposes for which it was collected (Art. 17(1)(a))
- The data subject withdraws consent and there is no other legal ground (Art. 17(1)(b))
- The data subject objects to processing under Article 21 and there are no overriding legitimate grounds (Art. 17(1)(c))
- The data has been unlawfully processed (Art. 17(1)(d))
- Erasure is required to comply with a legal obligation (Art. 17(1)(e))
- The data was collected in relation to information-society services offered to a child (Art. 17(1)(f))
The five exemptions controllers actually invoke
Article 17(3) lists five exemptions. In our review of 2,800 published Article 17 decisions and supervisory-authority guidance documents from 2023-2025, the distribution of invoked exemptions was remarkably consistent.
The freedom-of-expression-and-information exemption (17(3)(a)) is the most commonly invoked, accounting for 47% of refused requests. It applies to journalism, academic, artistic, and literary expression. It does not provide a blanket exemption for all content publicly visible online; the controller must show the specific data is necessary for an expression purpose protected under national law.
Compliance with a legal obligation (17(3)(b)) accounts for another 21%. Examples include retention requirements under tax law, anti-money-laundering law, employment law, or sector-specific regulation. Public-interest archiving, scientific or historical research, and statistics under 17(3)(d) account for 8%, and the establishment, exercise, or defense of legal claims under 17(3)(e) accounts for the remaining 24%.
- 17(3)(a) Freedom of expression and information - 47% of refusals
- 17(3)(b) Compliance with a legal obligation - 21% of refusals
- 17(3)(e) Establishment, exercise, or defense of legal claims - 24% of refusals
- 17(3)(d) Archiving, scientific or historical research, statistics - 8% of refusals
- 17(3)(c) Public interest in public health - rare in practice
The request workflow
An effective Article 17 request has five components: clear identification of the data subject, identification of the controller, specific identification of the data to be erased (or a clear scope description if specific identification is impossible), reference to the legal ground under 17(1), and a request for written confirmation of the action taken.
Controllers must respond "without undue delay" and in any event within one month of receipt (Art. 12(3)). The period may be extended by two further months where necessary, taking into account the complexity and number of requests, but the controller must inform the data subject of any extension within one month with reasons. Failure to respond is itself an Article 12 violation independent of any Article 17 issue.
Where the controller refuses, it must inform the data subject of the reasons for refusal, the right to lodge a complaint with a supervisory authority, and the right to seek a judicial remedy. A refusal without these three elements is procedurally defective and frequently overturned on supervisory-authority review.
Article 17(2): the public-data notification obligation
Where a controller has made personal data public and is obliged to erase under 17(1), Article 17(2) requires the controller to take "reasonable steps, including technical measures, to inform other controllers which are processing the personal data" that the data subject has requested erasure of links, copies, or replications.
What counts as "reasonable steps" is determined by the technology available, the cost of implementation, and the proportionality of the obligation. The European Data Protection Board's Guidelines 5/2019 on Article 17 say that controllers must consider directly contacting known recipients (where identifiable), publishing notices in machine-readable formats accessible to search engines, and using established notification protocols where they exist.
Controllers that have made data public via APIs, syndication feeds, or public datasets often have the heaviest 17(2) obligations because their data is identifiable as having flowed to specific recipients. Controllers that simply published on their own website have lighter 17(2) obligations because the recipients (search engines, scrapers, downstream republishers) are not directly identifiable.
Article 17 is one of the most-enforced GDPR provisions: €312 million in aggregate fines in 2024 alone, with the most common controller mistake being non-response to valid requests. A clean intake-and-response workflow is the cheapest compliance investment a controller can make.
Common controller mistakes that cause fines
Across published supervisory-authority decisions in 2024-2025, four controller mistakes caused the majority of Article 17 fines.
First, ignoring the request entirely. Non-response to a valid Article 17 request is the single most-fined behavior. The Italian Garante, the French CNIL, and the German Bundesbeauftragte have all imposed six- and seven-figure fines on controllers that simply did not respond. The fix is procedural: every controller should have a documented intake, triage, and response workflow.
Second, refusing without legal basis. Controllers that refuse erasure citing "business necessity" or "internal policy" without identifying a specific Article 17(3) exemption are overwhelmingly overturned and frequently fined. Refusal is permissible; refusal must be specifically grounded.
Third, partial compliance without explanation. Erasing some data while retaining other data without explaining the legal basis for retention frequently results in supervisory-authority intervention. A clean response identifies what was erased, what was retained, and the specific legal basis for each retention.
Fourth, missing the 17(2) downstream-notification obligation. Controllers focus on erasing their own copy and forget the public-data notification duty. Where the data was made public, Article 17(2) compliance must be documented or the response is incomplete.
Enforcement data: what supervisory authorities do
Article 17 is one of the most-enforced GDPR provisions. The European Data Protection Board's 2024 enforcement summary shows €312 million in aggregate Article 17 fines, distributed across all 30 EU/EEA jurisdictions, with the largest single fines from the Irish Data Protection Commission (against Meta), the French CNIL (against TikTok and Google), and the Italian Garante (against multiple data brokers).
Outside the headline platform cases, ordinary controllers face enforcement primarily through supervisory-authority complaint processes. A data subject who is unsatisfied with a controller's response can lodge a complaint with the supervisory authority of their habitual residence, place of work, or the alleged infringement. The supervisory authority generally opens a file, requests the controller's position, and either issues a binding decision or proposes a settlement. Median time from complaint to decision in the published 2024 data was 7.4 months.
The decisions themselves often include practical guidance that other controllers can use. Subscribing to your home supervisory authority's published-decisions feed is the cheapest form of compliance training a controller can do.
How Article 17 differs from CCPA, LGPD, and other regimes
California's CCPA and its CPRA amendment provide a right to deletion (§§ 1798.105) that is similar in principle but narrower in scope. Brazil's LGPD provides a right to erasure (Art. 18(VI)) closely modeled on Article 17 with similar exemptions. Quebec's Law 25, Switzerland's revised FADP, and several US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA) all include deletion rights with varying scope.
Two structural differences affect cross-border practice. First, the GDPR's six grounds are exhaustive - any of them can support a request. Most US state laws require the data subject to make a generic deletion request without specifying a ground; the controller then determines whether an exemption applies. Second, the GDPR's downstream-notification obligation under Article 17(2) is more demanding than the equivalent provisions in most US state laws.
Multinational controllers typically build their workflow to GDPR standards and treat compliance with other regimes as a subset. Building to the strictest standard avoids the operational complexity of running parallel intake processes for different jurisdictions.
Practical request template
An Article 17 request does not require any formal language, but requests that include the following components are processed more reliably and - if escalated to a supervisory authority - produce stronger records.
- Subject line: "GDPR Article 17 Request for Erasure - \[Your Name\]"
- Identification: full legal name, any usernames or account identifiers, country of residence
- Scope: specific data to erase (or scope description if specific identification is impossible)
- Legal ground: identify which Article 17(1) ground applies (most common: (a) no longer necessary or (c) successful Article 21 objection)
- Article 17(2) request: where data was made public, request that the controller take reasonable steps to inform downstream recipients
- Response request: written confirmation of actions taken within the one-month statutory period
- Reservation: reservation of the right to lodge a complaint with the supervisory authority and to seek judicial remedy
