Right to Be Forgotten

You’veliekly heard about the Right to be Forgotten (RTBF) as part of the General Data Protection Regulation (GDPR) —but how does it actually work in practice?

Complexities and challenges under the General Data Protection Regulation

Complying with the Right to Be Forgotten (RTBF) under the General Data Protection Regulation (GDPR) is not straightforward. It requires businesses to balance privacy rights, legal obligations, and public interest considerations when handling personal data removal requests.

As of 2025, the UK still aligns with EU GDPR principles, but potential changes through the UK Data Protection and Digital Information Bill could impact how RTBF is applied. Businesses operating in the UK should monitor regulatory developments to ensure compliance.

In this guide, we’ll break down what RTBF means for personal data, how it’s interpreted by European courts, and what data protection laws mean in practice.

We’ll also recommend reputation experts to support you in exercising your Right to Be Forgotten effectively.

What is the GDPR Right to Be Forgotten and How Does It Protect Personal Online Reputation?

The right to be forgotten can be defined as the right of the data subject to erase personal data they don’t want to show up via search engines. It can also mean that they want personal data erased from other directories, but for the most part, we’re talking about search results that show on Google or Bing, for example.

As we’ve mentioned, it’s not just the European Union that is tackling the issue of the right to be forgotten. Several other places have also put into practice some form of data protection rules covering the right to be forgotten.

If you’re struggling with outdated or harmful search results, seeking expert guidance can make all the difference. A quick, no-obligation consultation can clarify your options. Contact Igniyte’s team of experts today. 

Why would a data subject want to enact this part of the European data protection law?

Online reputation plays a significant role in employment, business opportunities, and personal privacy. Negative or outdated search results can have long-term consequences, leading individuals to exercise their RTBF rights.

However, the debate over RTBF is ongoing:

• Supporters argue it protects individuals from being permanently judged by past actions.
• Critics claim it infringes on freedom of expression and public access to information.

Whether it’s old news articles, unfair business reviews, or misleading content, effective online reputation management can ensure that your digital presence truly reflects who you are today.

The Right to be Forgotten and freedom of expression

The RTBF has sparked plenty of debate. Some say it protects privacy, while others argue it limits press freedom and public access to information. It’s a tricky balance—one that led to GDPR replacing older data laws in 2018.

Different countries see RTBF differently:

• In the UK, it’s a bit like the Rehabilitation of Offenders Act, which lets past convictions be “spent” after a certain time, so they don’t hold people back forever. France has a similar idea with le droit à l’oubli.
• The US takes the opposite view. Under the First Amendment, free speech comes first, and removing search results is seen as censorship rather than privacy protection.

While RTBF is now law in Europe, opinions are still divided. Knowing where you stand helps when dealing with data privacy rules across different countries.

What does the right to be forgotten mean for data subjects and search engines?

In simple terms, the right to be forgotten allows a person to request for certain data to be deleted so that they can’t be traced via search engines by a third party.

RTBF gives individuals the right to request personal data removal if:

• The data is no longer relevant or necessary for its original purpose.
• The individual withdraws consent for data processing.
• The data was collected unlawfully.
• A legal obligation requires the deletion.

Most requests focus on removing search engine results from platforms like Google and Bing, particularly for outdated or damaging content. However RTBF also applies to directories and other data processors.

Work with reputation experets to ensure you have the right kind of framework in place.

For those of us that live in a country that does apply the right to be forgotten, it’s possible to make legal claims to remove personal information and URLs from a search engine. You may come across the word ‘delisting’ referring to this too.

However, as the right to be forgotten is still under debate in many countries, its interpretation and implementation can vary from country to country.

The European Union has had long-standing data protection laws that included the right to erasure. This forms the nucleus of the right to be forgotten as it stands currently.

How RTBF Evolved from the Right to Erasure

The 2014 judgement by the European Court shifted the interpretation of the previous understanding of the right to erasure. It essentially extended the remit of the right to be forgotten to cover the right to delisting.

However, the application of RTBF has continued to evolve:

• 2019 – Global Scope Limitation: The ECJ ruled that search engines are not required to remove links from global domains (e.g., Google.com) but must ensure delisting occurs on EU-specific versions such as Google.fr or Google.de.
• 2022 – Accuracy of Information: The court clarified that if an individual can prove that information is false or misleading, search engines must remove it, reinforcing obligations on platforms like Google to verify the accuracy of indexed content.
• 2023 – AI and RTBF Compliance: The rise of AI-driven search and content aggregation has introduced challenges in fully enforcing RTBF, as AI systems process vast amounts of historical data, making complete removal more complex.

If you’re considering making a request under the right to be forgotten but don’t know where to start, consulting with experts in content removal can significantly increase your chances of success.

How Search Engines Handle GDPR Right to Be Forgotten Requests

The ruling by the European Court caused concern for companies like Google, who wanted to understand the full ramifications of their legal obligation.

As a search engine operator, Google set up an Advisory Council in 2015 to figure out recommendations regarding the right to be forgotten.

By 2024, Google had received over 5 million requests for personal data removal under the Right to Be Forgotten, reflecting the increasing demand for online reputation management and data privacy protections. Google has always stressed that it is attempting to balance the right to be forgotten and the individual’s privacy with public interest.

RTBF Beyond the EU: A Growing Global Trend

While the Right to Be Forgotten (RTBF) is primarily associated with the European Union’s GDPR, several other countries have introduced similar data protection measures:

• Argentina and the Philippines: Have implemented RTBF principles under their data protection frameworks.
• Canada: Strengthened its privacy laws with the Consumer Privacy Protection Act (CPPA), incorporating erasure rights.
• South Korea: Enhanced its Personal Information Protection Act (PIPA) to reinforce individuals’ rights over their personal data.
• India: Introduced the Digital Personal Data Protection Act (2023), which includes data erasure provisions.

Although the global approach to digital privacy varies, many jurisdictions are now incorporating RTBF-like rights, reflecting the increasing demand for greater control over personal data online.

Right to be forgotten decisions are made on a case-by-case basis

The RTBF is complex due to competing interests and the interconnected nature of the internet. Each request is assessed individually, balancing privacy rights with freedom of information and public interest.

To address these complexities, data processors established advisory councils, and the European Commission continues to refine RTBF policies through case law.

Under Article 17 of the GDPR, data subjects can request the erasure of personal data from a data controller (e.g., a search engine or organisation) if specific conditions apply. Requests should typically be processed within a month, but verification of legitimacy is required.

Since RTBF decisions vary case by case, there is no universal approach—rulings depend on legal requirements, ethical considerations, and the specifics of each request.

When can legal claims to remove data from search results be made?

The GDPR must balance requests for data or URL removals against the public’s interest and consider whether they’re no longer relevant.

Individuals can act with regard to their sensitive data if they consider it as being stored unnecessarily if the data is incorrect or if they no longer consent to the processing of said data.

Under Article 17 of GDPR, a Right to Be Forgotten (RTBF) request is considered valid if at least one of the following conditions applies:

• Data is no longer needed – The original reason for collecting and processing the data is no longer valid (e.g., expired marketing campaigns or outdated records).
• Consent has been withdrawn – If the data subject originally provided consent but later revokes it.
• Objection to legitimate interest – If an organisation claims a legitimate interest in processing personal data, but the individual objects, and there is no overriding reason to keep the data.
• Unlawful processing – If the data was collected, stored, or processed illegally in breach of data protection laws.
• Legal obligation to erase data – If a court ruling or legal requirement demands the data’s removal.

When does the organization’s rights to process the data override the data subject?

Under GDPR, an organisation’s right to process personal data can override a data subject’s request for erasure in specific circumstances, including:

• Freedom of expression and information – If the data is essential to uphold press freedom or public access to information.
• Legal obligations – If the organisation must retain the data to comply with a legal requirement or ruling.
• Public interest tasks – If the data is used for scientific or historical research, public health, or statistical purposes, particularly when processed by an official authority.
• Medical purposes – If required for preventative or occupational medicine, provided it is handled by a healthcare professional bound by confidentiality laws.
• Legal claims – If the data is necessary for establishing, exercising, or defending legal claims.

If an organisation can justify that a removal request is excessive or unfounded, it may deny the request or charge a reasonable fee for processing.

Each RTBF request is evaluated individually, considering local laws, GDPR requirements, and public interest factors. The European Parliament continues to refine RTBF regulations through legislative updates and case law to balance privacy rights with broader societal interests.

What does a valid request look like for the right to be forgotten?

There is no specification under the GDPR regarding the specifics of a valid verbal request or written request.

The data subject can make the request either in writing or verbally and can make it to any member of the organization involved. In other words, the request to ensure that search results no longer show personal data doesn’t have to be made to a specified information commissioner or officer.

If the request meets the listed conditions in the section above it is considered valid, according to the European Commission and due to Brexit, the UK courts if it is based there instead.

Furthermore, the request doesn’t even have to mention the ‘right to be forgotten’, ‘request for erasure’, the GDPR or Article 17.

This puts the onus on the organization to ensure its employees are fully trained on what constitutes a valid verbal request. Any employee could feasibly receive such a request and must know what to do with it and the organization’s obligations.

How Should an Organisation Respond to an RTBF Request?

Organisations in the EU, UK, and GDPR-compliant regions must be prepared to handle Right to Be Forgotten (RTBF) requests efficiently.

Key Steps for Organisations:

• Verify Requests – Confirm the requester’s identity and ensure the request meets RTBF criteria.
• Assess Legal Exemptions – – Some data may be retained for legal obligations, public interest, research, or journalistic purposes.
• Act Within One Month – GDPR requires organisations to delete eligible data within 30 days, unless exemptions apply.
• Notify Third Parties – If the data has been shared, inform relevant organisations unless it is unreasonable to do so.
• Address Publicly Available Data – If personal data appears on search engines, social media, or external sites, take reasonable steps to request removal.

Failing to comply with RTBF requests can result in fines and reputational damage, as seen in recent enforcement actions across Europe.

Case Studies: The Right to Be Forgotten in Action

For individuals seeking data removal under the Right to Be Forgotten (RTBF), past case studies offer valuable insight. They also help organisations understand their legal obligations and how RTBF requests are assessed.

While GDPR formalised the process, removals are not guaranteed. Google evaluates each case individually, often rejecting requests for public figures on the grounds of public interest. Decisions can vary across EU member states, making a well-prepared request essential.

For the best chance of success, requests must clearly demonstrate that the content is inadequate, irrelevant, outdated, or excessive. Persistence and expert guidance can improve outcomes, particularly for high-profile individuals.

Take a look at Igniyte, the online reputation experts, for case studies on how they’ve helped individuals restore their online reputation and exercisisng their right to be forgotten.

Can celebrities utilise the right to be forgotten and get links removed?

The more well-known a data subject is, the harder it is to get content removed under the RTBF.

Public figures face greater challenges when requesting content removal. Google and search engines often deny requests from well-known individuals, arguing that their information is in the public interest.

However, RTBF is not automatically denied for celebrities. Each request is assessed on its own merits, and some high-profile individuals have successfully delisted content by proving it is misleading or no longer relevant.

To increase success, requests should be well-prepared, demonstrating clear GDPR grounds for removal. Professional assistance can help navigate this process effectively.

Checklist for Organisations to Comply with RTBF

To ensure compliance, organisations should:

• Understand RTBF Requirements – Individuals can request the deletion of their personal data when it is no longer needed, consent is withdrawn, or processing is unlawful.
•  Identify Common RTBF Scenarios – Be prepared for cases such as: A job applicant requesting the removal of their uploaded details or a customer first requesting data access, then data portability, and finally data erasure.

•  Establish a Clear RTBF Process – Have policies in place to: Verify the request’s legitimacy.
• Assess legal exemptions (e.g., public interest, legal obligations).
• Respond within one month, as required by GDPR.
• Ensure Staff Are Trained – Employees handling data requests must know how to process them correctly and lawfully.
• Maintain Compliance Records – Keep documentation of RTBF requests, decisions, and any legal justifications for approvals or refusals.
• Avoid Regulatory Risks – Non-compliance can lead to audits, sanctions, or fines, damaging legal standing and reputation.

By implementing these measures, organisations can effectively manage RTBF requests, ensuring compliance while protecting business interests and data subjects’ rights

For information, advice and consultation on every kind of GDPR issue, we would recommend heading over to Igniyte. Experts in Reputation Management, Igniyte have all of the expertise necessary to work with its clients on GDPR compliance and understanding.

For businesses managing sensitive data, ensuring compliance with GDPR isn’t just a legal requirement—it’s also crucial for maintaining trust. Seeking professional advice can help safeguard both your reputation and your legal standing.