The right to erasure (also called the right to be forgotten) means, that individuals have the right to request the erasure of their personal data in certain situations. Data controllers must respond immediately to such a request. Recently, ICD conducted a survey that revealed most people feel the right to be forgotten will pose the greatest challenges to their organization. It is an interesting result and not what was expected. It speaks a lot about the great number of changes and challenges the GDPR will bring for organizations.
There are several situations when this right can be applied. The first is when the data is no longer necessary for the purpose for which it had been collected. The second is the case when the data subject withdraws the consent and there is no other justification, legal or of other type, to continue the processing. Another situation would be when the data processing is unlawful (in a way that can be considered a breach under the GDPR).
Of course, there are also exemptions. For instance, if the processing is necessary to exercise the right of freedom of expression and information, the right to erasure will not be applied. The same is available when the processing is required for public health reasons, for the establishment, exercise or defence of legal claims, for the exercise of an official authority or for compliance with a legal obligation.