The right to erasure — an individual’s right to request the deletion of their personal data — has become a cornerstone of privacy protection in the digital age. However, this concept has a fascinating history and evolving developments that every company should be aware of.
The foundation of the right to erasure traces back to the landmark 2014 decision by the European Court of Human Rights in the case of Google Spain SL, Google Inc. v. AEPD and Mario Costeja González. The court recognized for the first time the right to request the removal of search engine results containing personal data that are outdated or irrelevant. This ruling laid the groundwork for the adoption of the GDPR in 2016, which explicitly includes the right to erasure (Article 17).
Since then, significant case law has further shaped this right. In 2022, the Court of Justice of the European Union (CJEU) in case C-460/20 TU v. Google expanded the scope of the right to erasure to include not only textual data but also photos and thumbnails displayed in search engines. This decision strengthened privacy protections in digital media and underscored increased obligations for data controllers.
Today, in 2025, a major step is underway with the coordinated initiative of 30 European Data Protection Authorities (DPAs) along with the European Data Protection Supervisor (EDPS). These supervisory authorities are conducting joint investigations across organizations in the European Union to assess how companies respond to erasure requests, whether they comply with the conditions and exceptions, and whether they have appropriate procedures and technologies in place.
For companies, this initiative means that managing the right to erasure is no longer a mere formal process but a critical component of operational integrity and building trust with customers. Organizations are called upon to:
- Implement transparent and efficient processes for handling erasure requests.
- Understand and properly document legal exceptions where erasure is not feasible or permitted.
- Train staff on responsible management of personal data and erasure requests.
- Invest in technological solutions that support complete and secure data deletion.
Compliance with the right to erasure has become an essential obligation for every data controller committed to respecting data subjects’ rights and adhering to the European legal framework.
Sources & Further Reading:
- CJEU Google Spain ruling (2014)
- CJEU case C-460/20 TU v. Google (2022) (Verfassungsblog)
- EDPB & EDPS 2025 initiative (EDPB, EDPS)