Deletion of personal data under the GDPR

Seven years ago when the EU General Data Protection Regulation (GDPR) came into effect, the right to be forgotten was particularly attention-grabbing. The right which, among others, allows for individuals to delete irrelevant data had existed previously under the EU Personal Data Protection Directive. The GDPR, however, codified it as a set of entitlements and requirements covered by the newly scoped right of erasure.

Article 17(1) of the GDPR outlines several conditions to this right. These conditions include withdrawal of consent, unlawful processing of data (e.g., by training an AI model without an appropriate legal basis or against data protection principles such as lack of transparency) and, notably, when the data processing is no longer needed. The joint aim is to address the increased need for data minimisation and an individual’s control over their digital footprint. Perhaps more than the conditions, what is interesting from a lawyer’s perspective when it comes to the right to erasure are the exceptions. These exceptions have been a commonly litigated issue at EU data protection authorities and national courts, and given many open questions will likely remain litigated in the AI context as well.

Technical and legal challenges of data erasure

Diligently carrying out requests to delete is hard and has been, for a long time, one of the major challenges for data governance professionals. Deleting personal information in informational systems – including by deidentifying or aggregating it – can be a big technical challenge. Data is not always easy to find, may be difficult to reach (e.g., it might be stored with an external organisation in a different format or system that can’t be accessed), and deletion of personal data (unless physically purging it) may turn out to be a reversible process.

To additionally complicate things, the GDPR doesn’t provide a clear definition of deletion. This is different from certain national jurisdictions, including Germany (specifically, in the former Bundesdatenschutzgesetz, Article 3(5)(5)), which have adopted a more specific description of what constitutes the standard of erased data. Based on the past jurisprudence, we have come to understand that deletion can take different forms such as data anonymisation, data purging or delisting. In other words, whether deletion is in accordance with the legal standard must be assessed on a case-by-case basis.

AI enters (and complicates) the story

With the rise of AI some of these concerns have exacerbated since only few deletion techniques are effective and appropriate in the AI context. Most AI systems leverage machine learning, where deletion is particularly problematic. Once data has been used to train a model, it may not be technically possible to remove the influence of a particular data point. Efforts like machine unlearning where models are retrained to forget specific data may lead to a solution, however, it is debatable whether such approximations would meet the standard of ‘complete and permanent erasure’ envisioned under some privacy laws, and they are perhaps too novel yet to fully rely on. An alternative that some regulators have proposed, and AI companies seem to actually have adopted, is filtering of the results to prevent personal data to appear in outputs of an AI system. This solution is of course imperfect as data doesn’t get deleted in an ordinary manner.

These challenges should not be taken lightly. The European Data Protection Board’s latest guidance (pages 29-30) confirms that individuals can request deletion and other rights whenever AI models include personal data. The availability of data subjects’ rights, including deletion, is a factor in assessing the legitimate interest of an AI developer to process personal data. The right to deletion is also a listed as a key correction measure in cases when models are developed unlawfully, e.g. without sufficient transparency. Furthermore, the right of deletion has been proposed as a remedy to correct inaccurate results produced by AI models (such as ChatGPT falsely producing information about an individual being a murderer) and hence an enabler of the related right to rectification.

Looking ahead

Deletion is one of the areas of data protection law where both legal practice and academia would benefit from a more granular understanding of deletion best practices. This is especially relevant in 2025 as new AI technologies are putting additional pressure on individual rights in the digital environment and subsequently triggering new deletion requests.