Compliance with the Right to be Forgotten from a Business Perspective

In recent years, the phrase "right to be forgotten" has become popular due to its implications for user privacy. Colloquially, it's used to describe the ability of citizens to demand that their personal information disappear from key places on the web, such as search engines like Google.

The term has replaced the more technical "right to erasure," which is outlined in the Data Protection Law. In any case, the scope of this right involves a multitude of processes that directly affect companies and their data management: from software development processes to the need to anonymize data in their databases.

For companies, compliance with the right to be forgotten (which we will use throughout this article as a synonym for "right to erasure") is not an option but a mandate that is also subject to audits and a regime of penalties.

How can businesses ensure compliance with the right to be forgotten, and what tools are available to guarantee and facilitate this assurance? We tell you in this brief guide.

What is the Right to be Forgotten?

The right to be forgotten, as stated in the Data Protection Law, is the right to "eliminate, hide, and cancel information or past events from people's lives."

In other words, it allows citizens to act on two fronts to ensure their privacy: on the one hand, to demand the disappearance of their personal data from any data record or data storage (a concept that also includes any paper documentation held by the company); on the other hand, to require that the trail of their personal data does not appear on the web.

This right and the legislation that protects it are in turn linked to the GDPR (General Data Protection Regulation).

When Does the Right to be Forgotten Apply?

According to the Data Protection Law, the right to be forgotten is applicable when:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to Article 6(1)(a) or Article 9(2)(a), and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1), and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

What Obligations Do Companies Have Regarding This Right?

The entry into force of the GDPR (General Data Protection Regulation) in May 2018 initiated a series of obligations for companies concerning data processing. This regulation was particularly important as it established a European framework that significantly focused on data privacy. Thus, many existing obligations were collected, but a significant exercise in rephrasing and incorporating new rules also occurred.

Thus, since its entry into force, the law generates the obligation for companies to comply with the right to erasure in any context, from the simplest databases to more complex data processing contexts, such as in environments of data production and software development.

Here we outline some of the obligations that companies must proactively comply with:

Communication in Response to Requests

Individuals have the right to request access to the data that companies hold. Then there is the obligation to provide all the available information, taking the necessary security measures and within a maximum period of one month (unless exceptions).

Communication in Case of Cybersecurity Issues

In the event of a data breach of customer data, the company is obliged to communicate it within 72 hours to the appropriate control authority.

It is important to remember that, prior to exercising the right of erasure, the individual has the option of requesting access to the data being processed about them, in which case the company:


Within the framework of the Data Protection Law, companies must ensure that they implement data anonymization processes to guarantee data privacy.

This process involves transforming sets of personal data into anonymous information. The result is a new set of data that prevents the possibility of identifying the individuals to whom the data belong.

Data Lifecycle Management

The Data Protection Law establishes that companies are only allowed to retain data for a limited period. Thus, once the conditions allowing them to store these data have ended, access to them must be blocked. This process is known as the data lifecycle.

Sanctions for Non-Compliance with the Right to be Forgotten

The text drafted by European authorities establishes that fines for non-compliance can reach 4% of the company's annual turnover or 20 million euros (whichever is greater).

A look at some statistics on the penalties incurred so far reveals that these fines are not, by any means, occasional:

  • One year after the regulation was implemented, the European Commission's report revealed that Google had been fined 50 million euros and a social network operator 20,000€.
  • Data collected in DLA Piper's 2023 report revealed that penalties had raised 1.1 billion euros in the previous year. In 2022, these fines were also 630% more substantial than in 2021.

Tools for Complying with the Right to be Forgotten

Complying with obligations regarding the right to be forgotten means monitoring a multitude of processes in companies that can reach high levels of complexity.

In this regard, a series of software tools have emerged to facilitate the processing of all required erasures.

On one hand, icaria GDPR is a software tool specialized in complying with the right to be forgotten as GDPR that facilitates various processes, such as selecting personal data to suppress and its blocking or other necessary actions (verification, restitution, disassociation, or physical deletion).

On the other hand, icaria TDM is aimed at GDPR compliance in pre-productive environments, such as test environments, facilitating processes such as managing the blocking period, suppression, coordinating the life cycle of each seed, and other actions (extraction, storage, disassociation, restoration, and deletion of data), all in an automated and planned manner.

Want to learn more about the implications of the right to be forgotten for companies and how to ensure that your business complies with legality in the most efficient way possible? At icaria Technology, we can help you. Contact us and talk to our team.