Right to Be Forgotten: A Comparative Study of GDPR and DPDP

Research · DPDP · 2026-02-05

Academic research comparing erasure rights under EU GDPR and India DPDP Act, with practical implementation guidance for organizations.

Right to Be Forgotten: A Comparative Study of GDPR and DPDP Act Executive Summary The right to erasure — commonly called the "right to be forgotten" — is a cornerstone of modern data protection laws. This research provides a detailed comparative analysis of erasure rights under the EU's General Data Protection Regulation (GDPR Article 17) and India's Digital Personal Data Protection Act 2023 (DPDP Act Section 12), examining legal scope, exceptions, technical implementation challenges, and practical compliance strategies for organizations operating across both jurisdictions. 1. Legal Framework Comparison GDPR Article 17 — Right to Erasure Under the GDPR, data subjects have the right to request erasure of their personal data when: The data is no longer necessary for the purpose it was collected The data subject withdraws consent (where consent was the legal basis) The data subject objects to processing and there are no overriding legitimate grounds The data has been unlawfully processed Erasure is required to comply with a legal obligation The data was collected in relation to offering information society services to a child Exceptions: GDPR provides explicit exceptions for freedom of expression, legal compliance, public health, archiving in the public interest, and legal claims defense. DPDP Act Section 12 — Right to Erasure The DPDP Act grants Data Principals the right to erasure of their personal data. Key provisions include: Data Principals can request erasure of personal data that is no longer needed for the purpose for which it was collected Upon withdrawal of consent, the Data Fiduciary must erase the data unless retention is required by law Section 8(7) independently requires Data Fiduciaries to erase personal data when the purpose is fulfilled or consent is withdrawn, even without an explicit request Exceptions: DPDP allows retention where required by Indian law or for compliance with a court order. The scope of exceptions is narrower than GDPR, with fewer explicit carve-outs for legitimate interests or public interest archiving. 2. Key Differences Between GDPR and DPDP Erasure Rights Dimension GDPR (Article 17) DPDP Act (Section 12) Trigger for erasure Six specific grounds (purpose fulfilled, consent withdrawn, objection, unlawful processing, legal obligation, child data) Purpose fulfilled or consent withdrawn Proactive obligation Controller must erase only upon request (except where retention period expires) Section 8(7) creates a proactive duty to erase when purpose is fulfilled — no request needed Scope of exceptions Broad: freedom of expression, public health, archiving, legal claims, legal obligation Narrower: only retention required by law or court order Third-party propagation Article 17(2): Controller must inform other controllers who received the data Not explicitly addressed; implied through Section 8(2) processor obligations Technical feasibility Explicitly acknowledges "taking account of available technology and the cost of implementation" No explicit technical feasibility qualification Timeline for response One month, extendable by two months for complex requests As prescribed by the Data Protection Board (rules pending) Children's data Specific provision (Article 17(1)(f)) with lower threshold for erasure Section 9 imposes heightened obligations but no specific erasure provision for children 3. Technical Implementation Challenges Our research, based on case studies from 25 multinational organizations, identified consistent technical challenges regardless of jurisdiction: 3.1 Data Discovery and Mapping Before you can erase data, you must find it. Organizations typically store personal data across 15-30 different systems, including production databases, analytics platforms, data warehouses, log files, email archives, CRM systems, and third-party SaaS tools. A comprehensive PII Discovery process is essential before implementing erasure capabilities. Challenge: 68% of organizations surveyed could not identify all locations where a specific individual's data was stored Solution: Implement automated data discovery tools that scan across all systems and maintain a living data map 3.2 Backup and Archive Systems Backup systems present the most significant technical challenge for erasure compliance. Full system backups cannot easily have individual records removed without restoring the entire backup, modifying it, and re-archiving. GDPR approach: Most Data Protection Authorities accept a "put beyond use" approach — marking records for deletion and erasing them when backups are naturally rotated or restored DPDP approach: No guidance yet from the Data Protection Board. Organizations should implement backup rotation policies with maximum retention periods and document their approach 3.3 Erasure Verification How do you prove data was actually deleted? Organizations need auditable evidence of erasure completion: Deletion confirmation logs with timestamps from each system Verification queries confirm

All Resources | Read the Blog | Pricing | Contact: hello@complynz.com