< Glossary
 /  
Legal

Right to Erasure

rite too ih-ray-zhur

Learn about the GDPR right to erasure (right to be forgotten), when individuals can request data deletion, how Irish companies must respond, and the exceptions.

Table of Contents
Example H2
Example H3
Example H4
Example H5
Example H6

Get Your
Irish Company
Today

From €99 including government fees.

5-day setup
Government fees included
Legal documents included
Free automated compliance tracking
Free legal data room
Ongoing legal support
Pricing
Share:

‍The right to erasure, also known as the right to be forgotten, is a fundamental right under Article 17 of the General Data Protection Regulation (GDPR) that allows individuals to request the deletion of their personal data from an organisation's systems. For Irish companies acting as data controllers, this means you must have processes in place to receive, assess, and respond to erasure requests within one calendar month.

‍For founders and business owners in Ireland, the right to erasure is one of the most practical and frequently exercised data subject rights. Whether a customer asks you to delete their account, a former employee requests removal of their records, or a website visitor wants their data wiped, you need a clear, documented procedure for handling these requests. Getting it wrong can lead to complaints to the Data Protection Commission (DPC) and, in serious cases, substantial fines.

‍Understanding this right matters because it affects how you design your systems, manage your data, and train your staff. The right to erasure is not absolute, and there are important exceptions that allow you to retain data in certain circumstances. Knowing when you must delete and when you may refuse is essential for balancing your data protection obligations with your legitimate business and legal needs.

When can an individual request erasure?

‍An individual can request erasure of their personal data in several circumstances defined by GDPR. The most common grounds include where the data is no longer necessary for the purpose it was originally collected, where the individual withdraws consent and there is no other legal basis for processing, where the individual objects to processing and there are no overriding legitimate grounds, and where the data has been unlawfully processed.

‍The right also applies where personal data must be erased to comply with a legal obligation under Irish or EU law, or where data was collected in relation to the offer of information society services to a child. In practice, most erasure requests Irish companies receive relate to customers who no longer wish to use a service and want their personal data removed from the company's systems.

How must Irish companies respond to an erasure request?

‍When you receive an erasure request, you must respond without undue delay and within one calendar month. You should first verify the identity of the person making the request to ensure you are not disclosing or deleting data based on a fraudulent request. Once verified, you must assess whether the request is valid by checking whether any of the grounds for erasure apply and whether any exceptions allow you to refuse.

‍If the request is valid, you must delete the personal data from all your systems, including backups where technically feasible. If you have shared the data with third-party data processors, you must inform them of the erasure request so they can also delete the data. You must confirm the erasure to the individual in writing, explaining what data has been deleted and from which systems.

What are the exceptions to the right to erasure?

‍The right to erasure is not absolute. GDPR sets out several important exceptions where you may refuse a request. These include where the data is needed to exercise the right of freedom of expression and information, where retention is required for compliance with a legal obligation (such as tax records or employment records), where the data is needed for reasons of public interest in the area of public health, and where the data is required for the establishment, exercise, or defence of legal claims.

‍For Irish companies, the most commonly relied-upon exception is the legal obligation to retain certain records. For example, you must keep financial records for six years under Irish tax law, and employment records must be retained for specific periods under employment legislation. In these cases, you can refuse the erasure request for those specific records while still deleting any other data that is not subject to a retention requirement.

Where would I first see Right to Erasure?

You will most likely encounter the right to erasure when a customer emails your support team asking for their account and all associated personal data to be permanently deleted, or when reviewing your privacy policy and realising you need a documented process for handling such requests.

What are the penalties for failing to comply?

‍Failure to comply with a valid erasure request can result in enforcement action from the Data Protection Commission. Under GDPR, fines for infringement of data subject rights can reach up to €20 million or 4% of global annual turnover, whichever is higher. The DPC can also order you to comply with the request, impose a temporary processing ban, or require you to notify the affected individual.

‍Beyond regulatory penalties, failing to handle erasure requests properly can damage your reputation and erode customer trust. Individuals who are dissatisfied with your response can lodge a complaint with the DPC, which may trigger a broader investigation into your data protection practices. For startups seeking investment, poor data protection compliance is a red flag during due diligence that can affect valuations or derail deals entirely.

How should Irish companies prepare for erasure requests?

‍Preparation starts with understanding what personal data you hold, where it is stored, and how it flows through your systems. Maintain a comprehensive data inventory that maps each category of personal data to its storage location, legal basis for processing, and retention period. This inventory makes it possible to respond to erasure requests quickly and accurately, without missing data in forgotten systems or databases.

‍Establish a documented procedure for handling erasure requests that includes identity verification, assessment of the legal basis, a timeline for response, and a process for notifying third-party processors. Train your customer-facing staff to recognise erasure requests and escalate them to the appropriate person. Include the right to erasure in your corporate compliance programme and add regular reviews of your data handling practices to your compliance calendar.

How does the right to erasure interact with other obligations?

‍The right to erasure must be balanced against your other legal obligations. You cannot delete data that you are legally required to retain, such as financial records needed for directors' duties and tax compliance, or records needed to defend against potential legal claims. When you receive an erasure request, you should assess each category of data individually to determine what can be deleted and what must be retained.

‍If you refuse an erasure request in whole or in part, you must inform the individual of your reasons and advise them of their right to lodge a complaint with the DPC or seek a judicial remedy. Document your decision-making process carefully, as you may need to demonstrate to a regulator that your refusal was justified. Transparency and clear communication with the individual help maintain trust even when you cannot fully comply with their request.

People Also Asked:
Form 12
Governance Framework
Invoice
Key Employee Engagement Programme
Patent
GDPR Compliance
Company Type
Reserved Shares
Audit Exemption
Person with Significant Control (PSC)
Paid Up Capital Explained: Irish Company Requirements & Examples (2026)
Company Formation
Home Office Deduction
Fiduciary Duty
Income Tax
Accrual Accounting
Service Agreement
Financial Statements
Form 46G
Company Registration Number
Register Now
Chat with us