§ GDPR · Article 17
GDPR Article 17: Obligations, Deadlines & Penalties
At a glance
Article 17 of the GDPR imposes 2 obligations on controller. At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 17
Obligation 1
The controller must erase personal data concerning the data subject without undue delay when specific grounds apply, such as data no longer being necessary, withdrawal of consent, objection to processing, unlawful processing, legal obligation compliance, or collection in relation to information society services.
Regulation (EU) 2016/679, Article 17, Article 17
- Obligated entity
-
controller
- Action required
-
erase
- Deadline
-
without undue delay
- Penalty
-
—
- Exemptions
- Processing necessary for freedom of expression, legal obligations, public interest tasks, public health, archiving/research/statistics, or legal claims.
Obligation 2
Where the controller has made personal data public and is obliged to erase it, the controller must take reasonable steps, including technical measures, to inform other controllers processing that data to erase links, copies, or replications.
Regulation (EU) 2016/679, Article 17, Article 17
- Obligated entity
-
controller
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 17
Who must comply with Article 17 of the GDPR?
+
controller.
What does Article 17 of the GDPR require?
+
erase inform
What is the compliance deadline for GDPR Article 17?
+
without undue delay