§ GDPR · Article 17

GDPR Article 17: Obligations, Deadlines & Penalties

Regulation (EU) 2016/679, Article 17 · All obligations · GDPR
At a glance
Article 17 of the GDPR imposes 2 obligations on controller. At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 17

Obligation 1
The controller must erase personal data concerning the data subject without undue delay when specific grounds apply, such as data no longer being necessary, withdrawal of consent, objection to processing, unlawful processing, legal obligation compliance, or collection in relation to information society services. Regulation (EU) 2016/679, Article 17, Article 17
Obligated entity
controller
Action required
erase
Deadline
without undue delay
Penalty
Exemptions
Processing necessary for freedom of expression, legal obligations, public interest tasks, public health, archiving/research/statistics, or legal claims.
Obligation 2
Where the controller has made personal data public and is obliged to erase it, the controller must take reasonable steps, including technical measures, to inform other controllers processing that data to erase links, copies, or replications. Regulation (EU) 2016/679, Article 17, Article 17
Obligated entity
controller
Action required
inform
Deadline
Penalty
§ Frequently asked

Questions about Article 17

Who must comply with Article 17 of the GDPR? +
controller.
What does Article 17 of the GDPR require? +
erase inform
What is the compliance deadline for GDPR Article 17? +
without undue delay
Need a cross-border briefing on GDPR Article 17?
Search Fontvera ↵
All EU obligation pages  ·  All GDPR articles