Right to Be Forgotten (Right to Erasure)
The right to be forgotten, formally the right to erasure, allows individuals to request the deletion of their personal data when it is no longer necessary, consent has been withdrawn, or processing is unlawful. Enshrined in Article 17 of the GDPR, this right is not absolute and must be balanced against other legal obligations.
The right to be forgotten originated from the 2014 Google Spain ruling by the Court of Justice of the European Union, before being codified in the GDPR. It requires data controllers to erase personal data 'without undue delay' in several circumstances: when the data is no longer necessary for the purposes for which it was collected, when the individual withdraws consent, or when processing is unlawful.
In the KYC and compliance context, this right frequently conflicts with retention obligations imposed by anti-money laundering regulations. Most AML frameworks require organisations to retain identity documents and verification results for five years after the end of the business relationship. During this period, an erasure request can legitimately be refused on the grounds of a legal obligation to retain data.
When erasure is carried out, it must be comprehensive: production databases, backups, third-party systems, and processors must all be notified. The data controller must also inform any recipients to whom the data has been disclosed, in accordance with Article 19 of the GDPR.
Regulations
Real-world examples
- 1.A former bank customer requests erasure of their KYC data: the bank refuses because the business relationship ended less than five years ago, and the AML retention obligation takes precedence.
- 2.A user who created an account on a lending platform without completing their application exercises their right to erasure: the platform must delete all their data as no legal retention obligation applies.
- 3.An insurance broker receives an erasure request and must notify its three processors (identity verification, scoring, archiving) to also delete the data subject's information.