GDPR Right to Be Forgotten: Article 17 Erasure (2026)

The GDPR right to be forgotten lets you demand that an organisation delete personal data about you when one of six specific grounds in Article 17(1) applies, unless one of five exceptions in Article 17(3) allows the controller to refuse. Established as a legal right by the Court of Justice of the EU in 2014 and codified in Regulation (EU) 2016/679, it covers both direct erasure from company databases and de-referencing from search engine results. Controllers must respond within one month.

For a broader overview of all eight GDPR data subject rights, see GDPR data subject rights. For background on the regulation as a whole, see what is GDPR. For the companion right that lets you see what data a controller holds before deciding whether to request deletion, see GDPR subject access requests. This page is the complete guide to Article 17 erasure.

GDPR Right to Be Forgotten: Article 17 Erasure (2026)

What Article 17 of the GDPR Actually Says

Article 17(1) of Regulation (EU) 2016/679 states: the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of six grounds applies. The phrase "without undue delay" is given concrete meaning by the one-month response deadline in Article 12(3).

Recital 65 of the regulation provides the legislative purpose. It states that a data subject should have the right to have personal data erased and no longer processed where the data are no longer necessary for the purposes for which they were collected or otherwise processed, where consent has been withdrawn, and where there is no other legal ground for processing. Recital 65 identifies the online environment as the context where this right matters most, and explicitly singles out data shared during childhood as a priority concern.

Recital 66 adds the online cascade dimension: the right to erasure should be extended so that a controller who has made personal data public is obliged to inform other controllers processing those data to erase any links to, or copies or replications of, those personal data. This recital is the direct structural foundation for the duty in Article 17(2) to notify third-party controllers, and it provides the legislative basis for applying the right to search engine de-referencing even when the source page remains live.

These recitals are not binding legal provisions on their own, but they are the authoritative interpretive guide to the legislature's intent. EU courts and supervisory authorities use recitals to resolve ambiguities in the operative articles.

The Six Grounds for Erasure Under Article 17(1)

An erasure request only triggers Article 17 if at least one of the following six grounds, set out in Article 17(1)(a) through (f), applies to your situation. The table below gives a quick reference; the sections that follow explain each ground.

(a) Data No Longer Necessary for Its Original Purpose

If an organisation collected data about you to fulfil a specific, identified purpose and that purpose has come to an end, the organisation has no lawful basis under Article 5(1)(e) (the storage limitation principle) to continue holding it. A retailer that still retains detailed behavioral profiles from a purchase you made several years ago, with no ongoing contractual or legal relationship to justify the retention, is a clear example. The key question is whether the data is still needed for the specific purpose for which it was collected, not whether the controller can imagine a hypothetical future use.

This ground is the most frequently invoked in practice because it applies across the widest range of processing activities. It does not require you to prove fault or unlawfulness on the controller's part; it simply requires that the original justification has expired.

(b) Consent Withdrawn and No Other Legal Basis Exists

If the only legal basis for processing your personal data was your consent under Article 6(1)(a), and you withdraw that consent, the controller must erase the data. The critical qualifier is "no other legal basis": if the controller can point to a separate justification, such as a contract under Article 6(1)(b), a legal obligation under Article 6(1)(c), or a legitimate interest under Article 6(1)(f), it can refuse erasure on consent-withdrawal grounds alone.

Two points matter in practice. First, consent withdrawal is prospective: it does not render processing that occurred before withdrawal unlawful. Second, the burden is on the controller to identify the alternative legal basis. It cannot simply assert that one exists; it must specify which one applies and why.

(c) Successful Objection Under Article 21

Article 21(1) gives you the right to object to processing based on legitimate interests or public-interest tasks. The controller can override your objection only by demonstrating compelling legitimate grounds that override your interests, rights, and freedoms. Where the controller has no such grounds, the objection succeeds and Article 17(1)(c) is triggered: erasure follows from the successful objection.

Article 21(2) creates an unconditional route: objecting to processing for direct marketing purposes carries no balancing test. A controller receiving a direct-marketing objection cannot invoke public-interest grounds or any Article 17(3) exception (other than those that independently apply to the data itself). The Article 21(2) objection is a complete bar to direct-marketing processing, and erasure of the data held specifically for that purpose must follow.

(d) Unlawful Processing

Where data was processed in breach of the GDPR (collected without a valid legal basis, retained beyond the lawful period, processed in a manner incompatible with the original purpose, or obtained through deceptive means), erasure is available regardless of whether the controller still has a technical "purpose" for the data. This ground captures both initial unlawfulness (data should never have been collected) and subsequently unlawful retention (data was lawfully collected but kept beyond the permitted period).

A common application: a controller relies on consent as the legal basis, the consent form was invalid (pre-ticked boxes, bundled consent, lack of specific purpose), and the processing was therefore unlawful from the start. Ground (d) applies even if the controller would now like to argue a legitimate interest retrospectively.

(e) Erasure Required by EU or Member State Law

Some EU regulations and national laws impose mandatory retention periods followed by mandatory deletion. Where such a legal obligation specifically requires erasure after a defined period, that obligation itself triggers the Article 17(1)(e) ground. Healthcare record retention laws in several Member States are one example: they require records to be kept for a statutory period and then destroyed.

This ground is relatively narrow: the legal obligation must specifically require deletion, not merely permit it or be silent on the matter.

(f) Data Collected from a Child for an Information-Society Service

Article 17(1)(f) is the children's data ground and it is the most difficult for a controller to resist. Under Article 8(1) of the GDPR, the default minimum age of consent for information-society services (social media platforms, apps, online games, and similar digital products) is 16. Member States may lower this floor to no less than 13, and many have.

Any data collected about you when you were below the applicable national threshold, without valid parental or guardian consent, was unlawfully processed under Article 8. That unlawful collection triggers both Article 17(1)(d) and Article 17(1)(f) simultaneously. Recital 65 singles this out explicitly, stating that the right to be forgotten is especially important where a data subject has been a child at the time of collection.

Crucially, this ground applies even if you are now an adult. The relevant fact is the age at which the data was collected, not your current age. If you created a social media account at 14 in a Member State where the consent age was 16, you can invoke Article 17(1)(f) and (d) together as an adult requesting deletion of all data collected during that period. The platform cannot rely on its current, lawful relationship with you as an adult to defeat an erasure request directed at data collected during childhood.

The only practical limitation is the Article 17(3) exceptions. Where some data must be retained under a legal obligation (for example, financial transaction records required under tax law), that specific subset may be kept. But behavioral profiles, advertising data, content you posted as a minor, and records serving purely operational purposes are unlikely to fall within any Article 17(3) exception.

The Five Exceptions: When Erasure Can Be Refused Under Article 17(3)

Even where one of the six grounds in Article 17(1) applies, a controller may lawfully decline to erase if continued processing is necessary for one of the five purposes listed in Article 17(3)(a) through (e). The following table summarises these exceptions before each is explained.

It is the controller's burden to identify which exception applies and to communicate that to you in writing when refusing a request. A blanket refusal citing no specific ground from Article 17(3) is itself a GDPR infringement.

(a) Freedom of Expression and Information

Journalism, commentary, opinion, public-interest reporting, and archiving of information of genuine public concern can all fall within this exception. This is the most heavily litigated exception in the search-engine context, where operators routinely invoke it to justify retaining links to news articles about individuals.

The exception is not unlimited. Not every published article about a private individual qualifies as protected expression in the public interest. The balance tilts toward privacy where: the events are old; the individual played no public role; the information serves no current public purpose; or the person was a minor at the time. It tilts toward expression where: the subject is a public figure; the information concerns their exercise of public functions; the events are recent; or the public has a genuine ongoing interest. The EDPB's Guidelines 5/2019 on the criteria of the right to be forgotten in search engine cases set out a non-exhaustive list of criteria for making this assessment, including the role of the data subject in public life, the nature of the information, the time elapsed, and any rehabilitation considerations.

(b) Legal Obligation, Public-Interest Task, or Exercise of Official Authority

Where EU or Member State law requires the controller to retain data, it cannot simply erase it on request. Employment law, tax law, social security law, anti-money-laundering requirements, and healthcare record-keeping rules are among the most common sources of mandatory retention periods. Public authorities and bodies exercising official functions also fall within this exception when processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority under Article 6(1)(e).

The exception requires that retention be genuinely necessary for the legal obligation or public-interest task. A controller cannot point to a tangentially related legal rule as a pretext for retaining data it wants to keep for commercial reasons.

(c) Public Health

Processing necessary for reasons of public interest in the area of public health (disease monitoring, epidemiology, pharmacovigilance, cross-border health threat response) may override an erasure request, particularly for special category health data under Article 9. This exception is invoked less frequently by private companies and more commonly by public health bodies and healthcare providers.

(d) Archiving in the Public Interest, Scientific Research, Historical Research, or Statistics

Erasure requests can be refused where data is being processed for archiving purposes in the public interest, or for scientific or historical research, or statistical purposes, provided that granting the erasure request would seriously impair the achievement of those objectives. National archives, longitudinal academic research studies, and official statistical datasets are the most common beneficiaries of this exception.

The key qualifier is "seriously impair": a controller cannot invoke this exception as a blanket shield for any dataset that might conceivably be useful for future research. The impairment must be demonstrably serious and the research purpose genuinely in the public interest.

(e) Establishment, Exercise, or Defence of Legal Claims

If an organisation needs to retain data to initiate, conduct, or defend litigation, arbitration, regulatory proceedings, or similar legal processes, it can invoke this exception. This is frequently relied upon in employment disputes (where HR records may be needed to defend an unfair dismissal claim), financial services contexts (where transaction records are needed for regulatory investigations), insurance claims, and professional negligence matters.

The exception covers only the data necessary for the specific legal claim or proceeding, not the controller's entire record set. Once proceedings conclude, the justification for continued retention under this exception evaporates.

The Cascade to Other Controllers: Article 17(2)

Article 17(2) addresses the situation where a controller has already made your personal data public, for example by posting it on a website, sharing it with advertising partners, or distributing it via a data marketplace. Where that controller is required under Article 17(1) to erase data it has made public, Article 17(2) requires it to take reasonable steps, including technical measures, taking account of available technology and the cost of implementation, to inform other controllers processing the data that you have requested erasure of any links to, or copy or replication of, those data.

This is the provision that makes the right to be forgotten structurally distinct from a simple deletion request directed at a single company. The controller who published the data bears an obligation to notify downstream controllers of the erasure request. Those downstream controllers are then independently responsible for complying with the erasure obligation within their own systems.

In the search-engine context, Article 17(2) creates an independent basis for submitting de-referencing requests directly to search engine operators, separately from any request to the original publisher. When a website holds lawfully published content about you, you can request de-referencing from the search engine because the search engine is itself a controller that has processed the public data within the meaning of Article 17(2). You do not have to first obtain removal of the source page in order to request de-referencing.

How Erasure Differs from a Subject Access Request

The right to erasure under Article 17 and the right of access under Article 15 (subject access request, or SAR) are distinct rights serving different purposes, though they are often used in sequence.

A subject access request under Article 15 gives you the right to obtain confirmation of whether a controller holds personal data about you, a copy of that data, and information about how it is being processed. That information covers the purposes, the legal basis, any recipients, and the retention period. A SAR is an information-gathering right. It lets you discover what a controller holds before deciding what to do with that information.

The right to erasure under Article 17 is an action right: it directs the controller to delete the data. The two rights are logically connected but procedurally separate: a SAR does not trigger an erasure obligation, and an erasure request does not entitle you to a copy of the data before deletion.

In practice, many privacy advisers recommend submitting a SAR first to understand precisely what data a controller holds, its legal basis, and its retention policy. Armed with that information, you are better placed to identify which Article 17(1) ground applies and to predict which Article 17(3) exceptions the controller is likely to invoke.

Both rights are subject to the same one-month response timeline under Article 12(3), and both are free of charge under Article 12(5).

Where the Right Was Born: Google Spain (C-131/12, 2014)

The right to be forgotten as applied to search engines predates the GDPR. It was created by the Court of Justice of the European Union in Case C-131/12, Google Spain SL and Google Inc. v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja Gonzalez, Grand Chamber, decided 13 May 2014. The case arose under the then-applicable Data Protection Directive 95/46/EC; the GDPR subsequently codified and strengthened the principle in Article 17.

The facts: a Spanish national, Mario Costeja Gonzalez, asked Google to remove search results that, when his name was entered, surfaced a 1998 newspaper notice about a debt-related property auction that had long been resolved. The original newspaper article had been lawfully published. The question was whether Google, by indexing and returning those results, was itself subject to data protection obligations.

The Court held at paragraph 33 that the activity of a search engine (finding information published or placed on the internet by third parties, indexing it automatically, storing it temporarily, and making it available to internet users according to a particular order of preference) must be classified as processing of personal data when that information contains personal data. This resolved a foundational question: search engines are not passive conduits.

At paragraph 34, the Court held that the operator of a search engine must be regarded as the controller of that processing within the meaning of Article 2(d) of Directive 95/46/EC (now Article 4(7) of the GDPR), because it determines the purposes and means of that processing. This was the threshold finding that made the right to de-referencing legally possible: search engines are data controllers with data protection obligations.

On the substance of the erasure right, the Court held at paragraph 88 that a search engine operator is obliged to remove from the list of results, displayed following a search made on the basis of a person's name, links to web pages published by third parties which contain information relating to that person, even when its publication in itself on those pages is lawful. The right to remove from search results is therefore independent of the lawfulness of the source page.

The balancing test at paragraph 81 provides the governing standard: a data subject's rights to privacy and data protection, under Articles 7 and 8 of the EU Charter of Fundamental Rights, "override, as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information." The exception is where, for particular reasons such as the role played by the data subject in public life, the interference with fundamental rights is justified by the preponderant interest of the general public in having access to the information in question. This is the basis for the public-figure distinction that remains central to all de-referencing decisions today.

How Far Does De-Referencing Reach: Google v CNIL (C-507/17, 2019)

Following the GDPR's entry into force in May 2018, France's data protection authority, the Commission nationale de l'informatique et des libertes (CNIL), ordered Google to implement de-referencing on all versions of its search engine worldwide, not just EU-Member-State-facing domains. The CNIL reasoned that limiting de-referencing to EU-facing domains was ineffective because any EU user could easily access the de-listed results via google.com or another non-EU domain.

Google challenged the worldwide scope. In Case C-507/17, Google LLC v. CNIL, Grand Chamber, decided 24 September 2019, the CJEU ruled that EU law does not require global de-referencing.

The primary holding was that the operator of a search engine is not required to carry out de-referencing on all versions of its search engine globally, but on the versions of that engine corresponding to all the Member States. Two reasons grounded this conclusion. First, the GDPR's territorial scope under Article 3 and the right to be forgotten under Article 17 do not, as a matter of EU legislative intent, impose requirements beyond EU territory. Second, numerous third states do not recognise the right to de-referencing or take a materially different approach, and imposing EU standards globally would effectively require EU law to override the legal choices of those jurisdictions.

However, the ruling does not leave EU users unprotected in terms of practical access. The Court held that within the EU, de-referencing operators must implement sufficiently effective measures to prevent EU users from accessing de-listed links via non-EU versions of the search engine. In practice, this means geo-blocking: when a user in France navigates to google.com rather than google.fr, the de-listed result must still be withheld for that user based on their geolocated EU presence.

The practical outcome: a successful de-referencing request removes the link from google.fr, google.de, google.it, and all other EU-domain versions. Geo-blocking should prevent EU-based users from seeing the removed result on google.com. The same link remains visible to a user in the United States or Japan accessing google.com from outside the EU.

EDPB Enforcement and the 2025 Coordinated Action

The European Data Protection Board (EDPB) has issued Guidelines 5/2019 on the criteria of the right to be forgotten in search engine cases under the GDPR, finalised after public consultation in July 2020. Those guidelines set out thirteen categories of cases (ranging from data subjects who played roles in criminal proceedings to victims of crimes to public figures) and identify the factors supervisory authorities should weigh when assessing whether a de-referencing request should be granted or refused.

In February 2026, the EDPB published the results of its Coordinated Enforcement Action on the right to erasure (CEF 2025), which examined how controllers across the EU were implementing erasure requests in practice. The coordinated action found widespread issues: incomplete responses that acknowledged requests but failed to confirm whether erasure had been carried out; reliance on exceptions without adequately identifying which specific exception applied; and delays in responding beyond the one-month deadline without invoking the permitted two-month extension. The report directed supervisory authorities in participating Member States to follow up with controllers that had systematic compliance failures.

The coordinated enforcement mechanism reflects a maturation in how the EDPB approaches systemic issues. Rather than leaving each national DPA to identify non-compliance independently, the EDPB now coordinates simultaneous enforcement sweeps across multiple jurisdictions on high-priority rights. Erasure was selected for the 2025 sweep precisely because of the volume of complaints about incomplete responses and unjustified refusals.

How to Submit an Erasure Request to a Controller

Article 12(3) requires a response within one calendar month of receipt of the request. There is no prescribed form. You can submit by email, through an online privacy rights portal, or by postal letter. Most large organisations operating under the GDPR now maintain a dedicated privacy rights portal, typically linked from their website footer under labels such as "Privacy Rights," "Data Subject Request," or "My Privacy Choices."

What to Include in Your Request

Your request should be specific enough to allow the controller to identify you and understand what you are asking for. Include:

1. Your full name and any identifier the organisation uses for you: email address, account username, customer number, or reference number.
2. The specific data or categories of data you want erased. The more precise you can be, the better. If you have carried out a subject access request first, you will have a clearer picture of what the controller holds.
3. The Article 17(1) ground you are relying on. Naming the ground is not legally required, but it focuses the controller's attention and makes it harder for the response to be vague. For example: "I am requesting erasure under Article 17(1)(a) GDPR because the data is no longer necessary for the purpose for which it was collected" or "under Article 17(1)(b) because I hereby withdraw my consent and there is no other legal basis."
4. A request for written confirmation that erasure has been carried out, identifying the categories of data deleted.
5. Your contact details for the response.

Under Article 12(5), the response is free of charge. Where requests are manifestly unfounded or excessive (particularly because of their repetitive character), the controller may charge a reasonable fee or decline to act, but the burden of demonstrating that threshold rests entirely on the controller. A single, clearly formulated erasure request cannot be dismissed as excessive.

Identity Verification

A controller may ask you to provide additional information to verify your identity if it cannot do so through commercially reasonable means. It cannot use this as a pretext to refuse the request altogether or to extend the response period without notice. Article 12(6) permits a controller to request additional information necessary to confirm the identity of the data subject, but it must do this promptly and must not use the verification step to run down the clock on the one-month response deadline.

What Happens After You Submit: Timelines and Escalation

Article 12(3) gives the controller one calendar month from receipt to respond. For complex cases or high volumes of simultaneous requests, Article 12(3) allows an extension of up to two further months, but the controller must notify you of the extension and the reason for it within the first month. You should receive at minimum a substantive acknowledgment within one month in every case; silence is not a valid response.

If the controller acts on your request, it must confirm that erasure has been carried out and identify which data or categories of data were deleted. A response that says only "we have noted your request" without confirming action is not compliant with Article 12.

If the controller decides not to act, Article 12(4) requires it to inform you without delay and at the latest within one month of receipt of the reasons for not acting and of two escalation routes: the right to lodge a complaint with a supervisory authority (your national data protection authority, or DPA), and the right to seek a judicial remedy directly against the controller in the courts of the Member State where the controller is established.

Infringement of Article 17 (including failure to respond in time or an unjustified refusal) falls under Article 83(5)(b) of the GDPR as a violation of data subjects' rights. The maximum administrative fine is 20 million euros, or in the case of an undertaking, 4 percent of total worldwide annual turnover of the preceding financial year, whichever is higher.

How to Submit a Search Engine De-Referencing Request

For de-referencing from search results under Articles 17(1) and 17(2), submit the request directly to the search engine operator, not to the website hosting the content. The search engine is an independent controller.

Your request should identify:

1. The specific URLs you want removed from search results (copy the exact links from your search results page).
2. The search queries that cause those URLs to appear in connection with your name.
3. The Article 17(1) ground you are relying on.
4. Why the results are irrelevant, outdated, excessive, or otherwise unjustified relative to your privacy interest, for example that the events are old, that you were not a public figure, that the matter has been resolved, or that you were a minor at the time.

Search engine operators review de-referencing requests individually. They may decline where they determine that a public-interest exception under Article 17(3)(a) applies, particularly for public figures, recent or ongoing news events, or professional conduct information that is genuinely in the public interest. If a search engine refuses your request, you can escalate to your national DPA, which can investigate and, if it finds the refusal unjustified, order the operator to comply. You can also challenge a refusal directly in the courts of the Member State where the operator's EU establishment is located.

UK GDPR: The Post-Brexit Equivalent

Following Brexit, the United Kingdom retained the GDPR as the UK GDPR under the European Union (Withdrawal) Act 2018, alongside the Data Protection Act 2018. The right to erasure under the UK GDPR mirrors Article 17 of the EU GDPR in its core structure: the same six grounds in Article 17(1), the same five exceptions in Article 17(3), and the same one-month response timeline under Article 12(3).

Key differences from the EU GDPR:

The UK GDPR is enforced by the Information Commissioner's Office (ICO), not by EU Member State supervisory authorities or the EDPB. If you are located in the UK and your erasure request is refused, you complain to the ICO, not to a continental DPA.

The ICO has published detailed guidance on the right to erasure for both individuals and organisations, covering how to assess whether erasure is required, how to handle requests from children, and when exceptions apply. That guidance is grounded in the same Article 17 framework but may diverge from EDPB guidance over time as the two legal systems develop independently post-Brexit.

For individuals: a UK resident exercising erasure rights against a UK-established controller complains to the ICO. A UK resident exercising rights against an EU-established controller that processes UK residents' data under the EU GDPR must still engage with the relevant EU Member State DPA for EU-law enforcement purposes, though the practical resolution often involves both authorities.

No US Federal Equivalent

There is no comprehensive federal US equivalent to the GDPR right to be forgotten. The United States has no general federal data privacy statute granting consumers a universal right to demand erasure of personal data from private organisations.

The closest US analogue at the state level is the right to deletion under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), codified at California Civil Code section 1798.105. That right applies only to California residents dealing with covered businesses meeting specific revenue or data-volume thresholds, and it contains its own extensive list of exceptions.

At the federal level, the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. section 6501, gives parents the right to request deletion of personal data collected online from children under 13 by COPPA-covered operators. COPPA's threshold is fixed at 13 with no state-level discretion, it covers only operators directed to children or with actual knowledge of collection from children, and the right belongs to parents rather than the individuals themselves.

US courts have generally declined to recognise a right to compel search engine de-listing of lawful content, relying on the First Amendment and Section 230 of the Communications Decency Act. A US resident cannot replicate an Article 17 erasure request under current federal law.

Practical Steps: Summary Checklist

Whether you are an individual making a request or an organisation deciding how to handle one, the following steps reflect the Article 17 framework.

For individuals requesting erasure:

1. Identify which of the six Article 17(1) grounds applies to your situation.
2. Consider submitting a subject access request first under Article 15 to establish exactly what data the controller holds and on what legal basis, particularly if you are unsure whether ground (a) (data no longer necessary) applies.
3. Submit the erasure request in writing, naming the ground, the specific data, and your contact details. Free of charge.
4. Note the date of submission: the one-month clock starts on receipt.
5. If the controller has not responded within one month, or has refused without citing a specific Article 17(3) exception, lodge a complaint with your national DPA (in the UK: the ICO).
6. For search engine de-referencing, submit directly to the operator's privacy rights form with the specific URLs and your reasons.

For organisations handling erasure requests:

1. Verify the requestor's identity using proportionate means and respond promptly.
2. Assess whether any of the six grounds applies.
3. If a ground applies, assess whether any Article 17(3) exception justifies continued retention. Document the assessment.
4. If erasing, confirm in writing which data has been deleted.
5. If refusing, specify the exact Article 17(3) exception in the refusal letter and inform the requestor of their right to complain to the supervisory authority and to seek a judicial remedy.
6. If the data has been made public, comply with the Article 17(2) cascade obligation and notify downstream controllers of the erasure request.
7. Respond within one month; if an extension is needed, notify the requestor of this and the reason before the first month expires.

Disclaimer: This page provides general legal information about the GDPR right to erasure and is not legal advice. Data protection law involves complex fact-specific assessments and varies across EU Member States in important respects. If you are facing a specific erasure situation as a data subject or as a controller, consult a qualified data protection lawyer or your national data protection authority.

Related Guides

• GDPR International Data Transfers: Chapter V Rules (2026)
• Does GDPR Apply to US Companies? A Compliance Guide
• EU AI Act and Data Privacy: GDPR Intersection Explained
• EU Data Privacy Laws: GDPR, AI Act and the 2025-2026 Digital Reforms
• What Is GDPR? Complete Guide to EU Data Protection (2026)