top of page

The Right to Be Forgotten: Navigating Privacy and Public Interest Under GDPR

In the digital age, the trail of personal data left online can be both a boon and a bane. Recognizing the potential for misuse, the General Data Protection Regulation (GDPR) introduced the Right to Be Forgotten (also known as the Right to Erasure), granting individuals significant control over their personal data online. This right allows individuals to request the deletion of their personal data under certain conditions, raising pivotal questions for businesses on compliance, the implications for operations, and the delicate balance between individual privacy and the public interest.

Implications for Businesses

For businesses, the Right to Be Forgotten is not just a regulatory hurdle but a fundamental shift in how customer data is managed. Compliance requires not only a technical response to erase data but also a holistic approach to data governance. Organizations must ensure they have systems in place to identify, locate, and delete data upon request, which can be particularly challenging when data is scattered across multiple databases or processed by third-party vendors.

The operational impact extends beyond data deletion. Businesses must also evaluate the legitimacy of requests, balancing the individual's right to privacy against the organization's need to retain data for legal or operational reasons. This evaluation process requires a clear understanding of the exceptions under GDPR, such as the necessity for compliance with a legal obligation, the performance of a task carried out in the public interest, or the establishment, exercise, or defense of legal claims.

Handling Requests

The process for handling Right to Be Forgotten requests involves several key steps:

  1. Verification: Confirm the identity of the requester to prevent unauthorized data deletion.

  2. Assessment: Determine whether the request meets the criteria under GDPR for erasure. This includes evaluating the necessity of the data for the purposes for which it was collected or processed.

  3. Action: If the request is valid, proceed with the deletion of the data. This involves not only erasing the data from primary systems but also ensuring it is removed from backups and any third-party services involved in data processing.

  4. Communication: Inform the requester once the data has been successfully erased. If the request is denied, explain the reasoning clearly and provide information on their right to appeal the decision.

Balancing Privacy and Public Interest

The Right to Be Forgotten does not exist in a vacuum and must be balanced against other rights and interests, including the public's right to information. This balance is particularly pertinent in cases involving public figures or events where there is a significant public interest in the information being available. For example, data related to financial misconduct, professional malpractice, or criminal activity may be excluded from the right to erasure to protect the public interest.

Businesses must navigate these complexities, often making case-by-case determinations that consider the nature of the data, the individual's role in public life, and the impact of erasure on the public's right to know. This balancing act requires not only a legal understanding of GDPR but also an ethical consideration of the broader implications of data erasure.


The Right to Be Forgotten under GDPR represents a significant empowerment of individuals over their personal data but also poses complex challenges for businesses. Successfully navigating these challenges requires robust data governance policies, clear procedures for handling requests, and a nuanced understanding of the balance between privacy rights and the public interest. By embracing these responsibilities, businesses can not only comply with GDPR but also enhance their reputation for respecting customer privacy, building trust in an increasingly data-driven world.


bottom of page