Right to erasure — "right to be forgotten" (GDPR Art. 17)

The right to erasure (GDPR Art. 17) — popularly "right to be forgotten" — grants erasure rights in six specific cases. (1) Data no longer needed for the original purpose (finished with the webshop? Account out.). (2) You withdraw consent (and no other lawful basis applies). (3) Objection to processing + no overriding legitimate interest of the business. (4) Unlawful processing. (5) Legal obligation to erase. (6) Data collected from a minor for information-society services. How to request? Written request with your details + which data you want erased + the legal basis (one of the 6 above). Loop in the DPO or privacy team immediately. Response time: 1 month, extendable by 2 months. What must the business do? Not only delete your account, but also take reasonable steps to inform third parties holding your data — e.g. partners, marketing platforms, search engines. For Google: separate route via Google's right-to-be-forgotten form. Important exceptions (Art. 17(3)): freedom of expression and information (journalism), legal retention obligations (Dutch tax authority: 7 years for accounts), public health, archiving for general/scientific/historical purposes, and legal claims (ongoing proceedings). If they don't erase? Demand letter → complaint to AP → potentially court (damages via Art. 82). Note: "forgotten" doesn't mean "automatically invisible on Google". Search results need a separate request to Google (since Costeja ruling 2014).