How long does it take to implement ComplyDog?

ComplyDog can be initially set up in 30 minutes and fully implemented in an afternoon.

Who is ComplyDog for?

ComplyDog is designed for B2B SaaS founders and startups that are compliant with GDPR but want to automate tedious tasks such as when a prospect requests a signed DPA or requests for more information on security practices.

What kind of integrations does ComplyDog provide?

ComplyDog comes with integrations with Docusign and Dropbox Sign so that your prospects and users can request signed DPAs without your manual involvement.

Right to be Forgotten: Deleting Your Digital Past

Name: ComplyDog
Price: 42 USD
Rating: 4.50 (2 reviews)
Author: ComplyDog

Privacy is a fundamental human right, but in our digital world, maintaining it can feel impossible. The "right to be forgotten" represents one of the most important—and controversial—privacy concepts in modern data protection law. It empowers individuals to request the deletion of their personal information from search engines and other data controllers.

I've spent years helping companies navigate privacy regulations, and the right to be forgotten remains one of the most misunderstood concepts. So let's clear things up.

What is the Right to be Forgotten?
Legal Foundations: GDPR Article 17
How the Right to be Forgotten Works
Limitations of the Right to Erasure
Landmark Cases that Shaped the Right
Practical Steps for Data Controllers
How to Submit a Removal Request
Global Perspectives on Digital Forgetting
Balancing Privacy and Information Access
Implementing Compliance for Your Business

What is the Right to be Forgotten?

The right to be forgotten (RTBF)—also known as the right to erasure—gives individuals the power to request the removal of their personal data from online databases, search results, and other public sources. It's about giving people control over their digital footprint when that information is no longer relevant, accurate, or necessary.

Think of it as a digital reset button. Not an absolute one, mind you, but a mechanism that recognizes people shouldn't be permanently defined by their past actions, especially when those actions are displayed prominently in search results long after they occurred.

The concept recognizes a simple truth: humans change, circumstances evolve, and information loses relevance over time. What might have been appropriate to publish about someone ten years ago may no longer serve any legitimate purpose today.

But this right isn't unlimited. It exists in constant tension with other important values:

Freedom of expression
Public interest in accessing information
Historical documentation
Legal obligations to retain certain records

And that's what makes it fascinating—and complicated. The RTBF isn't a universal eraser; it's a calibrated tool that weighs competing interests.

The most robust legal framework for the right to be forgotten comes from the European Union's General Data Protection Regulation (GDPR). Article 17 specifically outlines the "right to erasure," establishing the conditions under which individuals can request the deletion of their personal data.

Under GDPR, individuals can request erasure when:

The data is no longer necessary for its original purpose
The individual withdraws consent for data processing
The individual objects to processing and there are no overriding legitimate grounds
The data was processed unlawfully
Erasure is required to comply with a legal obligation
The data was collected in relation to the offer of information society services to children

Here's the actual text from Article 17(1):

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay [under specific conditions]...

But what many people miss is the built-in limitations. Article 17(3) specifies exceptions where the right doesn't apply:

When exercising freedom of expression and information
When complying with legal obligations
For reasons of public interest in public health
For archiving purposes in the public interest, scientific or historical research, or statistical purposes
For establishing, exercising, or defending legal claims

What does this mean in practice? It means you can ask Google to remove outdated information about you from search results, but they don't have to comply if the information serves a legitimate public interest.

How the Right to be Forgotten Works

Implementing the right to be forgotten involves a multi-step process that balances individual rights against broader societal interests.

Let's break down the general process:

Request submission: An individual submits a request to a data controller (like Google or Facebook) identifying the specific information they want removed.
Request evaluation: The controller assesses the request against legal criteria, considering:
- Is the information inaccurate?
- Is it irrelevant or excessive?
- Is there a compelling public interest in keeping it available?
- Are there legal grounds for retaining the information?
Decision and action: The controller decides whether to approve or deny the request. If approved, they must remove the data "without undue delay."
Notification to third parties: Controllers must take "reasonable steps" to inform other controllers processing the same data about the erasure request.
Appeal process: If a request is denied, individuals can appeal to data protection authorities or seek judicial remedies.

But there's a gap between theory and practice. I've observed that the effectiveness of this process varies dramatically depending on the data controller, the nature of the information, and even the persistence of the individual making the request.

For search engines like Google, the process often looks like this:

Step	Description	Timeframe
1	Submit removal request via online form	Immediate
2	Receive acknowledgment	1-3 days
3	Request review by search engine team	1-4 weeks
4	Decision communicated to requester	2-8 weeks
5	Implementation of approved removals	Within days of approval

Search engines must balance your privacy rights against the public's right to access legitimate information. They typically evaluate:

Your role in public life (public figures have fewer removal rights)
The nature of the information (sensitive data gets more protection)
The source of the information (official records are harder to delist)
Time passed (older information may be less relevant)
Impact on your life vs. public interest in access

An important distinction: even when content is de-listed from search engines, it often remains on the source website. The right to be forgotten primarily addresses how easily information can be found, not necessarily its complete deletion from the internet.

Limitations of the Right to Erasure

The right to be forgotten is powerful, but it's far from absolute. Let's examine what it can't do:

Technical limitations: Once information spreads online, achieving complete erasure becomes nearly impossible. Data may be cached, archived, or copied to multiple locations beyond the reach of any single data controller.

Jurisdictional constraints: The GDPR's territorial scope has limits. While Google will remove results from European domains like google.fr or google.de, they may remain visible on google.com or through VPNs.

In 2019, the European Court of Justice ruled that search engines don't have to apply the right to be forgotten globally, limiting its application to EU domains.

Override exceptions: Several legitimate interests can override erasure requests:

Freedom of expression and information
Compliance with legal obligations
Public health interests
Scientific, historical, or statistical research
Legal claims

Practical challenges: For individuals, proving that their data no longer serves its purpose or is no longer relevant can be subjective and difficult.

The Streisand Effect: Ironically, attempting to remove information sometimes draws more attention to it. When people learn something is being suppressed, they become more interested in finding it.

For businesses, the challenge lies in developing systems that can accurately identify, track, and remove personal data across complex data environments—while documenting compliance throughout the process.

These limitations highlight why the right to be forgotten represents a balancing act rather than an absolute right. It's about proportionality—weighing individual privacy against other legitimate interests on a case-by-case basis.

Landmark Cases that Shaped the Right

The right to be forgotten didn't appear overnight. It evolved through several pivotal legal cases that tested and defined its boundaries.

Google Spain v. AEPD and Mario Costeja González (2014)

This landmark European Court of Justice case effectively created the right to be forgotten. Mario Costeja González wanted Google to remove links to a 1998 newspaper article about his resolved debt issues. The court ruled that:

Search engines are "data controllers" under EU law
Individuals can request removal of links to irrelevant or outdated information
Search engines must evaluate such requests case-by-case

The ruling established that privacy rights can sometimes outweigh the public interest in accessing certain information and the economic interests of search engines.

Google v. CNIL (2019)

This case answered a crucial question: does the right to be forgotten extend globally? The European Court of Justice ruled that search engines don't need to apply the right beyond EU borders. The court found that:

EU law doesn't require global de-listing
Search engines must apply the right across all EU member states
Search engines should prevent or seriously discourage EU users from accessing de-listed results

This decision limited the territorial scope of the right to be forgotten, recognizing the delicate balance between EU privacy rights and other jurisdictions' legal frameworks.

NT1 & NT2 v. Google (2018)

Known as the "right to be forgotten" case in the UK, this involved two businessmen wanting Google to remove search results about their criminal convictions. The court created a nuanced approach:

NT1's request was denied because his conviction was for serious business fraud and he showed no remorse
NT2's request was approved because his conviction was less serious and he showed genuine remorse

This case highlighted how factors like the severity of past actions, time elapsed, and relevance to current public life affect de-listing decisions.

These cases demonstrate the evolving nature of the right to be forgotten. Each ruling has refined the concept, creating a framework that attempts to balance individual privacy against legitimate public interests.

Practical Steps for Data Controllers

For organizations processing personal data, the right to be forgotten presents both legal obligations and practical challenges. Here's how data controllers should prepare:

1. Create Clear Erasure Request Procedures

Establish transparent, accessible procedures for individuals to submit erasure requests. This should include:

Multiple submission channels (online forms, email, postal mail)
Verification processes to confirm the requester's identity
Clear timelines for acknowledging and responding to requests
Templates for communication throughout the process

A well-defined process helps ensure compliance while managing requesters' expectations.

2. Implement Technical Capabilities

Build the technical infrastructure needed to execute erasure requests effectively:

Data mapping to know where personal data resides across all systems
Search capabilities to locate specific individuals' data
Deletion mechanisms that can remove data without disrupting system integrity
Audit trails to document erasure actions

Remember that partial deletion may be necessary—removing data from active systems while retaining it in backup archives with safeguards against reintroduction.

3. Establish Evaluation Criteria

Develop clear guidelines for assessing erasure requests:

Does the request meet legal grounds for erasure?
Do any exceptions apply?
Is the data still necessary for its original purpose?
Does continued processing have a legal basis?
What legitimate interests might override the erasure request?

Document your reasoning for approving or denying each request.

4. Third-Party Notification Protocol

When you erase data that has been shared with third parties:

Maintain records of where data has been shared
Create standardized notification methods for informing recipients
Document all notification efforts
Implement confirmation processes to verify third-party compliance

5. Staff Training

Privacy compliance isn't just a technical issue—it's a human one. Train relevant staff on:

The legal basis for the right to erasure
How to recognize and process erasure requests
Decision-making criteria and documentation requirements
Communication guidelines for interacting with requesters

6. Regular Process Review

Privacy law continues to evolve. Schedule regular reviews of your erasure procedures to:

Incorporate lessons from past requests
Adapt to new regulatory guidance or court decisions
Improve efficiency and effectiveness
Ensure continued compliance

By implementing these practical steps, organizations can transform their RTBF compliance from a reactive scramble into a structured, manageable process. This not only reduces legal risk but also builds trust with customers and users who see their privacy rights respected.

How to Submit a Removal Request

If you've decided to exercise your right to be forgotten, here's a practical guide to submitting a removal request:

For Search Engines

Major search engines provide dedicated forms for removal requests:

Google: Use their "Request to remove information you see in Google Search" form
Bing: Submit a "Right to be Forgotten" request through the Microsoft Privacy Dashboard
Yahoo: Complete their "Request to Block Search Results In Yahoo Search" form

When submitting your request, include:

Your full name and contact information
The specific URLs you want removed
Why you believe the content should be removed (citing applicable GDPR grounds)
Context about why the information is irrelevant, outdated, or otherwise problematic
Any supporting documentation

Be specific and thorough, as vague requests are more likely to be rejected.

Social media platforms typically offer several options:

Direct deletion: For content you posted yourself, the simplest approach is to delete it directly.
Account deletion: Most platforms allow full account deletion, which should remove most of your content.
Data request tools: Major platforms provide tools to request deletion of specific information:
- Facebook: Privacy Center's "Your Data and Privacy Choices"
- Twitter: Privacy settings under "Your account"
- Instagram: Privacy and Security settings
- LinkedIn: Settings & Privacy section

For Websites and Other Data Controllers

For third-party websites:

Contact the site directly: Look for privacy policy information with contact details for privacy requests.
Provide necessary information:
- Your identity
- The specific content you want removed
- The legal basis for your request
- Why the content no longer serves its purpose or is inappropriate
Follow up: If you don't receive a response within 30 days (the GDPR time limit), contact your national data protection authority.

After Submission

Keep records of all your communications, including:

When and how you submitted your request
Any reference numbers or acknowledgments
All responses received
Dates of follow-up communications

If your request is denied, you have options:

Appeal directly to the data controller with additional information
File a complaint with your national data protection authority
Seek legal advice about court remedies

Remember that persistence often pays off. Many initial rejections can be overturned with additional context or by escalating to supervisory authorities.

Global Perspectives on Digital Forgetting

The right to be forgotten has evolved differently across the globe, reflecting varying cultural and legal approaches to privacy.

European Union: The Gold Standard

The EU leads with the most comprehensive right to be forgotten through the GDPR. European privacy philosophy views personal data control as a fundamental right. The EU's approach:

Creates enforceable legal rights for individuals
Imposes clear obligations on data controllers
Backs enforcement with significant penalties
Balances privacy against other fundamental rights

United States: A Patchwork Approach

The US lacks comprehensive federal privacy legislation providing a right to be forgotten. Instead:

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) include limited deletion rights
Other states like Virginia, Colorado, and Utah have enacted similar but varying provisions
Case law generally favors freedom of expression over privacy when they conflict

This creates a geographic lottery where your erasure rights depend on where you live.

South America: Following Europe's Lead

Several Latin American countries have embraced the right to be forgotten:

Argentina recognized a right to de-listing in "Rodríguez, María Belén v. Google" (2014)
Brazil's General Data Protection Law includes erasure rights similar to GDPR
Colombia's Constitutional Court recognized the right in 2015

Asia-Pacific: Divergent Approaches

Asian countries have taken varied approaches:

South Korea's Personal Information Protection Act includes robust deletion rights
Japan's Act on the Protection of Personal Information provides more limited erasure rights
China's Personal Information Protection Law now includes deletion rights
India's proposed data protection framework includes a right to be forgotten

Russia: The "Right to be Forgotten" Law

Russia enacted a specific law in 2016 requiring search engines to remove links to information that is inaccurate or irrelevant. However, its implementation differs from the EU approach, with critics noting potential censorship concerns.

Global Challenges

This global diversity creates significant challenges:

Companies operating internationally must navigate conflicting requirements
Enforcement across borders remains problematic
Internet users have vastly different rights based on location
Technical implementation becomes complex in a borderless digital world

The trend, however, is clear: more countries are recognizing some form of digital erasure rights, even as the specific boundaries and implementations vary widely. The global conversation around digital forgetting continues to evolve, with the EU model serving as a reference point—whether as an example to follow or a cautionary tale, depending on the jurisdiction.

Balancing Privacy and Information Access

The right to be forgotten exists at the intersection of two fundamental values: personal privacy and public access to information. Finding the proper balance requires careful consideration of several factors:

Individual Factors

Not all information deserves the same protection or exposure:

Time passed: Information typically becomes less relevant with age
Accuracy: Inaccurate information has less claim to remain accessible
Original purpose: Data should not persist beyond its needed lifetime
Sensitivity: Highly personal information deserves stronger protection
Public role: Public figures have reduced privacy expectations for information relevant to their public activities

Societal Considerations

Broader social interests must weigh against individual privacy:

Historical record: Society benefits from preserving accurate historical information
Freedom of press: Journalism serves vital democratic functions
Public interest: Information about public safety or corruption deserves protection
Academic and research access: Knowledge advancement requires data access
Chilling effects: Over-removal risks suppressing legitimate speech

Practical Examples of Balancing

This balancing act manifests in real-world scenarios:

A former criminal conviction might be removable after rehabilitation, but not if the person holds public office where character is relevant.
Medical information generally deserves strong privacy protection, except when public health interests require disclosure.
Financial information might warrant removal after debts are settled, unless the person seeks positions of financial trust.
Information about minors typically deserves stronger protection than similar information about adults.
Public statements by politicians generally remain accessible as part of the historical record.

The key lies in proportionality—does the privacy harm to the individual outweigh the public value of continued access? This question must be answered case by case, considering all relevant factors.

Technology complicates this balance further. Digital information's persistence, searchability, and replicability create unprecedented challenges for applying traditional privacy concepts. What once required physical effort to discover can now appear instantly in search results, dramatically changing the practical impact of public information.

The ongoing dialogue between privacy advocates and free speech defenders continues to shape this evolving area of law and ethics. Neither absolute remembering nor complete forgetting serves society's best interests—the challenge lies in finding the appropriate middle ground.

Implementing Compliance for Your Business

Implementing right to be forgotten compliance requires systematic approaches that balance individual rights, business needs, and legal requirements. Here's how businesses can build effective compliance programs:

1. Conduct Data Mapping

You can't delete what you can't find. Start by mapping your data landscape:

Identify all systems containing personal data
Document data flows between systems
Classify data by type, sensitivity, and purpose
Note retention periods and legal bases for processing

This foundation enables swift response when erasure requests arrive.

2. Establish Clear Policies and Procedures

Create comprehensive documentation covering:

How individuals can submit erasure requests
Verification procedures to confirm identity
Assessment criteria for evaluating requests
Decision-making responsibility and authority
Implementation timeframes
Record-keeping requirements

Make these policies accessible to both customers and employees.

3. Implement Technical Solutions

Deploy technology that supports efficient erasure:

Database configurations that enable targeted deletion
Archiving systems that prevent reintroduction of deleted data
Audit trails that document erasure actions
Communication systems for third-party notifications
Request management tracking

The right tools transform compliance from burden to routine operation.

4. Train Your Team

Privacy compliance depends on knowledgeable staff:

Provide role-specific training for employees handling erasure requests
Ensure technical teams understand deletion requirements
Train customer-facing staff to recognize verbal erasure requests
Establish escalation paths for complex cases
Conduct regular refresher training

A well-trained team prevents compliance gaps while building customer trust.

5. Document Everything

Comprehensive documentation protects your business:

Record all requests received
Document decision rationale
Maintain evidence of completion
Log third-party notifications
Track exceptions and their justification

This documentation provides crucial evidence of compliance during regulatory inquiries.

6. Leverage Compliance Software

Modern privacy compliance tools can dramatically simplify this process. Specialized compliance software like ComplyDog can:

Automate data mapping and inventory
Streamline request intake and processing
Provide pre-built workflows for common scenarios
Generate compliance documentation automatically
Track completion status and deadlines
Create audit-ready reports

These systems reduce manual effort while improving accuracy and consistency.

7. Regular Compliance Reviews

Privacy requirements evolve, requiring ongoing attention:

Schedule regular policy reviews
Conduct compliance audits
Test your erasure process with simulations
Incorporate lessons from actual requests
Update procedures based on regulatory guidance

Regular review cycles ensure your compliance program remains effective.

The Business Case for Strong Erasure Practices

Beyond avoiding penalties, strong right to be forgotten practices offer tangible business benefits:

Enhanced customer trust and loyalty
Reduced data storage costs
Lower security risk through data minimization
Competitive advantage in privacy-conscious markets
Smoother mergers and acquisitions due to clean data practices

These advantages make privacy compliance a business asset rather than merely a regulatory burden.

By implementing comprehensive compliance through specialized tools like ComplyDog, businesses can transform the right to be forgotten from a compliance challenge into an opportunity to demonstrate respect for customer privacy and build stronger relationships based on trust.