Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Most requests received by companies concern the Right to be forgotten therefore the deletion of data. However, this is not a simple "delete" button: certain personal data must be retained to meet legal or contractual obligations.

This right allows anyone to request the deletion of their data when its Data retention justified, whether for an online account, content published on a page, or search results visible online. It aims to guarantee the protection of individuals and prevent obsolete, inaccurate, or sensitive information from remaining unduly accessible.

For companies, implementing this right provided forin Article 17 of GDPR can be complex. This is because data is often spread across different domains, systems, and accounts, making it difficult to delete completely.

In addition, complying with legal deadlines, managing multiple requests, and providing the necessary documentation to avoid complaints can pose a real operational challenge.Failure to respond or providing an incomplete response can have significant legal and reputational consequences.

This is precisely where the Data Protection Officer (DPO) comes in, whether internal or outsourced. outsourced. Their mission is to ensure compliance, coordinate operational teams, and ensure that each request is handled with rigor, transparency, and respect for the protection of individuals.

Two employees working on the right to be forgotten in business.

1. What is the Right to be forgotten

The Right to be forgotten, recognized by the GDPR reinforced by the CJEU, allows individuals to request the erasure of personal data in several situations:

  • The data is no longer needed for the original research purposes.
  • The individual withdraws their consent for an account or service.
  • The processing is deemed unlawful or the content is inappropriate.
  • The processing concerns search results that are no longer relevant.

However, this right is not absolute. It may be limited in order to respect freedom of expression, legal obligations, or certain public interest missions. The decision on whether or not to delete the data must always be documented by the data controller.

The Right to be de-listed often stems from Right to be forgotten it allows a link to be removed from search results displayed on search engines in order to limit the visibility of harmful content.

Photo illustrating the right to be forgotten in the workplace.

2. Why Right to be forgotten the Right to be forgotten a major issue for businesses?

2.1 Legal and financial risks

Failure to respond to a request for erasure may result in a complaint to the CNIL (National Commission for Information Technology and Civil Liberties) other competent authorities. The penalties provided for by the GDPR significant: they can reach up to €20 million or 4% of the company's global annual turnover.

Even doubt about the compliance of a processing operation may be sufficient to trigger an inspection or a finding of non-compliance, which shows the importance of handling each request with rigor.

2.2 Operational complexity

Implementation of the Right to be forgotten is not a simple technical issue. Personal data is often scattered across multiple accounts, internal systems, and databases. To ensure comprehensive protection for individuals, it is necessary to identify all instances of the same content and ensure that they are deleted. This operation requires coordination between different departments, documentation of actions, and the implementation of clear procedures to avoid any lack of response or errors.

Therefore, the challenge for the company is not only to comply with the law, but also to organize its systems and processes so that data protection is effective and traceable, while reducing the risk of penalties or complaints.

Photo illustrating a keyboard for data deletion and the GDPR right to be forgotten.

3. Implementation: how to manage the Right to be forgotten

Requests related to the Right to be forgotten primarily concern the deletion of data, but it is essential to distinguish between data that can be deleted and data that must be retained for legal, fiscal, or operational reasons.

Implementing the Right to be forgotten is Right to be forgotten simply a matter of pressing "delete." It is a legal, technical, and organizational process. Here is how an outsourced DPO outsourced support a company.

3.1 Analysis of requests received

The DPO checks each request to determine whether it falls under the Right to be forgotten or the right to de-indexing. They assess the relevance of the content and the need for deletion.

In the event of excessive, abusive, or manifestly disproportionate requests, the DPO may refuse to comply, providing clear and documented justification. The objective is to delete only relevant data, while complying with legal and operational obligations.

3.2 Internal coordination

The DPO organizes the deletion process with the relevant teams: IT, marketing, legal.

3.3 Meeting deadlines

The GDPR a response within one month. The DPO ensures that the company leaves no room for doubt orfailure to respond to a complaint.

As a reminder, in the case of a complex request, you have up to three months to respond to the Data subject they must be informed of this extended deadline at the end of the first month. For more information on managing your rights requests, click here.

3.4 Exception handling

If certain data cannot be deleted for legal research purposes or obligations, the DPO documents the finding and drafts a clear response in a register of rights requests for traceability and accountability purposes.

For example, if a client requests that their data be deleted, you must retain and not delete any invoices less than 10 years old in order to fulfill your tax and accounting obligations.

3.5 Training and awareness-raising

Data protection also involves training teams to ensure that the Right to be forgotten is properly applied Right to be forgotten daily Right to be forgotten . It is therefore essential to have a clear procedure in place across all relevant departments in order to reduce the risk of non-response to the Data subject.

The GDPR checklist - Are you really in compliance?

Check your compliance point by point with this clear, concise checklist. An essential tool for any professional wishing to make sure they're on the right track when it comes to data protection.
Download

Conclusion

The Right to be forgotten is an essential tool for ensuring data protection and strengthening user confidence. While the majority of requests concern the deletion of data, it is crucial not to delete everything indiscriminately: certain information must be retained to meet legal, tax, or operational obligations.

The effective implementation of this right relies on rigorous analysis of requests, structured internal coordination, adherence to deadlines, and accurate documentation of each action. Training teams and establishing clear procedures also help to avoid any lack of response or errors.

As an outsourced DPO, our role is to guide you through this process, ensuring that each request is handled with rigor, transparency, and Accountability. When managed properly, the Right to be forgotten not only a legal obligation, but also a lever for protecting individuals and securing the company's activities.

Samia Rahammia
Samia Rahammia

IT and Data Lawyer and Marketing Project Manager