What is the difference between the right to be forgotten and delisting?

The right to be forgotten (or right to erasure) under GDPR Article 17 requires organizations to delete personal data upon request when certain conditions are met. Delisting, on the other hand, specifically refers to removing a URL from search engine results so it no longer appears for queries related to a person's name. Delisting does not erase the source content—it only removes the search engine index entry. Both rights are related but operate at different levels: data erasure targets the data controller, while delisting targets search engines.

How long does a business have to respond to an erasure request?

Under the GDPR, businesses must respond to a data erasure request within one calendar month of receiving it. This deadline can be extended by two additional months for complex or numerous requests, but the data subject must be informed of the extension and the reasons within the initial one-month period. Failure to respond within these timeframes can result in regulatory complaints and potential fines.

Can a business refuse a right to be forgotten request?

Yes. Businesses can refuse a right-to-be-forgotten request if the data processing is necessary for exercising the right of freedom of expression, complying with a legal obligation, public health purposes, archiving in the public interest, or the establishment, exercise, or defense of legal claims. Every refusal must be documented and communicated to the requester with a clear explanation.

Does the right to be forgotten apply outside the European Union?

Increasingly, yes. While the GDPR established the framework, similar provisions exist in Brazil's LGPD, California's CCPA/CPRA, Canada's proposed Consumer Privacy Protection Act, and laws in Japan, South Korea, and India. By 2026, over 40 jurisdictions worldwide have some form of data erasure or delisting right, making this a truly global compliance concern for any business with an international web presence.

Right to Be Forgotten & Delisting: Practical Guide for Businesses 2026

Understanding the Right to Be Forgotten in 2026

The right to be forgotten is no longer a niche European concept. In 2026, it’s a global reality that affects every business with an online presence—from a local restaurant in Nice to a multinational SaaS company.

Originally codified in Article 17 of the General Data Protection Regulation (GDPR), the right to erasure gives individuals the power to request that organizations delete their personal data under specific circumstances. Closely related is delisting, a mechanism through which individuals can ask search engines like Google to remove specific URLs from results linked to their name.

For businesses, these rights create concrete operational and legal obligations. Ignoring them isn’t just risky—it’s expensive. By early 2026, cumulative GDPR fines have surpassed €4.2 billion, and data erasure violations account for a growing share of complaints filed with supervisory authorities.

This guide breaks down everything your business needs to know—and do—to stay compliant.

Right to Erasure vs. Delisting: Clearing Up the Confusion

These two concepts are often used interchangeably, but they serve different purposes and target different entities.

This right applies to data controllers—meaning any organization that collects and processes personal data. When a valid request is made, the controller must:

Delete the personal data from all systems
Inform any third parties who received the data
Remove the data from backups within a reasonable timeframe

Common triggers for a valid erasure request include:

The data is no longer necessary for the original purpose
The individual withdraws consent
The data was unlawfully processed
The individual was a minor when the data was collected

Delisting (Search Engine Removal)

Delisting targets search engines specifically. Since the landmark Google Spain v. AEPD (2014) ruling by the Court of Justice of the European Union, search engines are considered data controllers for the index they maintain.

A delisting request asks Google (or Bing, or any search engine) to remove a specific link from search results when someone queries a person’s name. The source page itself remains live—only the search engine index entry is removed.

Key difference in practice:

Aspect	Right to Erasure	Delisting
Target	Data controller (your business)	Search engine
Effect	Data is deleted at the source	Link removed from search results only
Legal basis	GDPR Article 17	GDPR Article 17 + CJEU case law
Source content	Removed	Remains online
Scope	All personal data held	Specific URLs in search index
Typical deadline	1 month (extendable to 3)	Varies by search engine (usually 1 month)

Understanding this distinction is critical because your business may need to handle both types of requests—and the internal process for each is different.

The Global Landscape: It’s Not Just Europe Anymore

In 2026, data erasure rights have gone global. Here’s a snapshot of the regulatory landscape:

European Union (GDPR): The gold standard. Article 17 provides a comprehensive right to erasure with well-established enforcement.
Brazil (LGPD): Article 18(VI) grants the right to deletion of unnecessary or excessive data.
California (CCPA/CPRA): The right to delete personal information is a core consumer right, now enforced by the California Privacy Protection Agency.
Canada (CPPA – proposed): Bill C-27 introduces disposal obligations and a right to request data deletion.
India (DPDP Act 2023): The Digital Personal Data Protection Act includes erasure rights, with enforcement rules finalized in 2025.
China (PIPL): Article 47 establishes deletion obligations when processing purposes have been achieved or consent is withdrawn.

Over 40 countries now have some form of data erasure legislation. For any business operating internationally—or even one that simply has a website accessible from multiple countries—multi-jurisdictional compliance is no longer optional.

At Lueur Externe, we regularly advise clients across the Alpes-Maritimes and beyond on building websites and digital platforms that are technically prepared for these regulatory requirements from day one.

When Can You Legally Refuse an Erasure Request?

Not every request must be honored. The GDPR provides clear exceptions, and understanding them protects your business from both over-compliance (deleting data you actually need) and under-compliance (ignoring valid requests).

Legitimate Grounds for Refusal

Freedom of expression and information — Journalistic, academic, artistic, or literary purposes may override the erasure right.
Legal obligation — If you’re required by law to retain the data (e.g., tax records, anti-money laundering regulations).
Public interest — Data processing for public health, scientific or historical research, or statistical purposes.
Legal claims — If the data is needed for establishing, exercising, or defending legal claims.
Manifestly unfounded or excessive requests — You can charge a reasonable fee or refuse outright if the request is clearly abusive.

A Real-World Example

Imagine you run an e-commerce store built on Prestashop (a platform Lueur Externe has been certified in for years). A former customer asks you to delete all their data. However, French tax law requires you to retain invoices and transaction records for 10 years. In this case, you would:

Delete all non-essential personal data (marketing preferences, browsing history, saved addresses)
Retain only the transaction records required by law
Inform the customer of the partial deletion and the legal basis for retaining the remaining data

Documentation is everything. Every decision—whether you comply or refuse—must be recorded and justified.

Building an Internal Workflow: Step-by-Step

The biggest compliance failures don’t happen because businesses act in bad faith. They happen because there’s no process. Here’s a practical workflow your organization can implement today.

Step 1: Centralize Request Intake

Create a single point of contact for all data-related requests. This could be:

A dedicated email address (e.g., privacy@yourdomain.com)
A form on your website’s privacy page
Your appointed Data Protection Officer (DPO)

Step 2: Verify the Requester’s Identity

Before deleting anything, confirm the person is who they claim to be. Acceptable verification methods include:

Matching the request email with the account email on file
Requesting a copy of a government-issued ID (while minimizing the data you collect for verification)
Two-factor authentication if the person has an active account

Step 3: Assess the Request

Determine whether the request is valid under applicable law. Use this decision tree:

ERASURE REQUEST RECEIVED
│
├── Is the requester's identity verified?
│   ├── NO → Request additional verification (do not start the clock yet)
│   └── YES → Continue
│
├── Does a legal exemption apply?
│   ├── YES → Document the exemption, notify the requester, REFUSE (partially or fully)
│   └── NO → Continue
│
├── Is the data shared with third parties?
│   ├── YES → Notify all third parties of the erasure obligation
│   └── NO → Continue
│
├── Can the data be fully erased from all systems (including backups)?
│   ├── YES → Execute full erasure within 30 days
│   └── PARTIAL → Erase what is possible, schedule backup purge, document timeline
│
└── CONFIRM erasure to the requester in writing

Step 4: Execute and Document

Delete the data from:

Production databases
CRM systems
Email marketing platforms
Analytics tools
Backup systems (within a reasonable cycle—typically the next scheduled purge)

Maintain an internal log that records:

Date the request was received
Date identity was verified
Decision taken (full compliance, partial compliance, or refusal)
Legal basis for any refusal
Date the erasure was completed
Any third parties notified

Step 5: Respond to the Requester

Always send a written confirmation, even in cases of refusal. Include:

A summary of the action taken
The legal basis (if data was retained)
Information about the right to lodge a complaint with the supervisory authority (e.g., the CNIL in France)

The Technical Side: What Your Website Needs

Compliance isn’t just a legal exercise—it requires technical infrastructure. Here are the concrete changes your website and systems need.

Privacy-by-Design Architecture

Your database schema should make it possible to identify and delete all data related to a specific individual. This sounds obvious, but in practice, many legacy systems scatter personal data across dozens of tables with no unified identifier.

Practical tips:

Use a single customer ID that links all personal data across tables
Implement soft delete functionality so erasure can be staged and audited before permanent removal
Build automated data retention policies that purge data after the legal retention period expires
Ensure your CMS or e-commerce platform (WordPress, Prestashop, etc.) has GDPR-compliant plugins or modules installed and configured

Delisting and erasure requests often stem from data collected through tracking. Make sure your cookie consent banner:

Blocks all non-essential cookies until explicit consent is given
Records and stores proof of consent
Allows users to withdraw consent as easily as they gave it
Is compliant with the latest CNIL guidelines (updated in 2025)

Search Engine Considerations

If your website publishes content that includes personal data (testimonials, case studies, employee pages, blog posts), you need a process for:

Removing or anonymizing content upon request
Submitting URL removal requests to Google Search Console after the content is taken down
Using noindex meta tags or X-Robots-Tag HTTP headers to prevent re-indexing

Here’s a quick example of how to noindex a specific page in your HTML:

<meta name="robots" content="noindex, nofollow">

Or via an HTTP header (useful for non-HTML resources):

X-Robots-Tag: noindex, nofollow

For WordPress sites, this can be managed per-page using popular SEO plugins or, for more complex setups, through server-level configuration—something the team at Lueur Externe handles routinely for clients running on AWS-hosted WordPress environments.

Delisting Requests: What Businesses Should Know About Google

Google processes hundreds of thousands of delisting requests each year. According to Google’s own transparency report, since the original 2014 ruling:

Over 2.2 million URLs have been requested for delisting in Europe
Approximately 52% of requested URLs have been delisted
The most common reasons for refusal are public interest and insufficient information

When Delisting Affects Your Business Directly

Your business can be impacted by delisting even if you’re not the one making the request:

A former employee asks Google to delist a page on your site that mentions them
A customer requests removal of a review page or case study featuring their name
A business partner asks for delisting of a joint press release

In these scenarios, Google may delist the URL from name-based searches without contacting you. You may notice a drop in traffic to specific pages without understanding why.

Proactive measures:

Regularly audit your published content for personal data
Obtain and archive written consent for any content that names individuals
Monitor Google Search Console for manual actions or URL removals
Have a response plan ready if Google contacts you about a delisting request

Penalties and Enforcement: The Numbers Don’t Lie

Regulatory enforcement is accelerating. Here are some notable 2025–2026 developments:

Meta (Facebook): Fined €1.2 billion in 2023 for data transfer violations—a case that also implicated erasure practices.
Clearview AI: Fined by multiple EU DPAs (France: €20 million, Italy: €20 million, UK: £7.5 million) for failing to comply with erasure requests.
Small and medium businesses: The CNIL issued 147 formal notices to SMEs in France in 2025 alone, many related to inadequate erasure procedures.

The takeaway? You don’t need to be a tech giant to attract regulatory scrutiny. A single unresolved complaint from a data subject can trigger an investigation.

Preparing for 2026 and Beyond: A Compliance Checklist

Use this checklist to evaluate your current readiness:

If you can’t check every box, you have work to do—but you’re not alone. Most businesses are still catching up.

Conclusion: Compliance Is a Competitive Advantage

The right to be forgotten and delisting aren’t just legal burdens—they’re trust signals. Consumers increasingly choose brands that respect their privacy. A Cisco 2025 Data Privacy Benchmark Study found that 94% of consumers said they wouldn’t buy from a company they didn’t trust to handle their data properly.

Building compliant systems from the ground up—whether you’re launching a new Prestashop store, redesigning a WordPress site, or migrating infrastructure to AWS—is far cheaper and more effective than retrofitting compliance after a regulatory complaint.

That’s exactly where having the right technical and strategic partner makes all the difference. Lueur Externe, a web agency founded in 2003 and based in the Alpes-Maritimes, combines deep technical expertise (certified Prestashop partner, AWS Solutions Architect, WordPress and SEO/LLM specialists) with a practical understanding of the legal frameworks that govern your online presence.

Whether you need a GDPR-compliant website audit, a privacy-by-design architecture review, or help configuring your e-commerce platform to handle erasure requests seamlessly, get in touch with the Lueur Externe team. In a world where data privacy defines brand reputation, proactive compliance isn’t a cost—it’s your strongest competitive edge.