Right to Be Forgotten (Right to Erasure)

The Right to Be Forgotten, formally called the Right to Erasure under GDPR Article 17, allows individuals to request that a business permanently delete their personal data. Businesses must comply within 30 days unless a legal exception applies.

Erasure must be granted when: the data is no longer necessary for its original purpose, the individual withdraws consent, the data was unlawfully processed, or the individual objects and there is no overriding legitimate interest. Exceptions exist for legal obligations, public interest, and freedom of expression.

For SaaS and e-commerce companies, this means building a clear account deletion flow and ensuring data is purged from backups and third-party processors within a reasonable timeframe. Your privacy policy must explicitly describe how users can exercise this right.