Glossary / Privacy
Right to Be Forgotten
The right to be forgotten, formally the right to erasure, is a data subject right under the GDPR that allows individuals to request the deletion of their personal data when it is no longer necessary or when they withdraw consent.
Also: right to erasure, erasure
The right to be forgotten gives individuals the ability to request that an organization delete their personal data. Under the GDPR, this right applies when the data is no longer necessary for its original purpose, when the individual withdraws consent, when the individual objects to processing, or when the data was collected unlawfully.
The right is not absolute. Organizations may refuse erasure when the data is needed to comply with a legal obligation, to exercise or defend legal claims, or for certain public interest purposes. When erasure is required and the data has been shared with third parties, the organization must take reasonable steps to inform those parties of the deletion request.
Implementing erasure in complex systems is challenging. Data may exist in production databases, backups, logs, analytics pipelines, and downstream integrations, and each must be addressed.
For CIAM, the right to be forgotten requires identity platforms to support complete account deletion workflows that remove or anonymize customer data across all systems where it is stored.
Sources
- Regulation (EU) 2016/679 (GDPR): https://eur-lex.europa.eu/eli/reg/2016/679/oj
Related terms
Standards
- Regulation (EU) 2016/679