Right to Be Forgotten Under GDPR 2026: Practical Guide for Germany and Austria
What Is the Right to Be Forgotten?
The right to be forgotten (Recht auf Löschung) under Article 17 of the General Data Protection Regulation (GDPR) gives you the power to request that a company or organization delete your personal data. This is not an absolute right — it must be balanced against other rights, such as freedom of expression or legal obligations to retain data. For ordinary people in Germany and Austria, this right can be a lifeline when old, inaccurate, or irrelevant information about you keeps appearing online, harming your reputation or privacy.
In plain terms: if a search engine lists an outdated news article about a minor offense you committed years ago, or a social media platform refuses to remove your old posts, you can ask them to delete that data. The GDPR sets a Europe-wide standard, but national laws in Germany (Bundesdatenschutzgesetz – BDSG) and Austria (Datenschutzgesetz – DSG) add specific rules and exceptions.
Step-by-Step: How to Exercise Your Right to Be Forgotten
Step 1: Identify the Data Controller
First, determine who is responsible for the data you want deleted. This could be a website operator, a search engine (like Google or Bing), a social media platform, or a company that processed your data. The controller is usually named in the privacy policy (Datenschutzerklärung) of the service.
Step 2: Prepare Your Request
Write a formal request (Löschungsantrag) that includes:
- Your full name and contact information
- A clear description of the data you want deleted (e.g., a specific URL, a post, or a search result)
- The reasons why you believe the data should be erased (e.g., it is no longer necessary, you withdraw consent, or the processing was unlawful)
- Any supporting evidence, such as screenshots or proof of identity
Send this request via email or postal mail to the data protection officer (Datenschutzbeauftragter) of the controller. Keep a copy for your records.
Step 3: Wait for a Response
The controller must respond within one month (Article 12(3) GDPR). They can extend this by two more months if the request is complex. If they refuse, they must explain why and inform you of your right to complain to a supervisory authority.
Step 4: File a Complaint
If the controller denies your request or does not respond, you can file a complaint with the relevant data protection authority. In Germany, this depends on your federal state (Landesdatenschutzbeauftragter). In Austria, the authority is the Datenschutzbehörde (DSB).
Legal Basis and Exceptions
The GDPR lists several grounds for deletion (Article 17(1)):
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis
- You object to processing and there are no overriding legitimate grounds
- The data was processed unlawfully
- The data must be erased to comply with a legal obligation
However, the right can be denied if the processing is necessary for:
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation (e.g., tax retention periods)
- Public health reasons
- Archiving purposes in the public interest
- Establishing, exercising, or defending legal claims
Germany vs. Austria: Key Differences
While the GDPR is the same across the EU, Germany and Austria have implemented national laws that affect how the right to be forgotten works in practice.
Germany (BDSG)
The German BDSG (Bundesdatenschutzgesetz) supplements the GDPR with specific rules for non-public bodies. Section 35 BDSG addresses the deletion of data held by public authorities. In Germany, the right to be forgotten is often applied in the context of criminal records (Bundeszentralregister) and press archives. German courts have been strict about balancing privacy with press freedom. For example, the Federal Constitutional Court (BVerfG) has ruled that even lawful reporting can be subject to deletion after a certain time if the individual's right to privacy outweighs the public's interest in the information.
Austria (DSG)
Austria's DSG (Datenschutzgesetz) largely mirrors the GDPR but includes specific provisions for processing by public bodies. The Austrian Datenschutzbehörde is known for being proactive and accessible to individuals. In Austria, the right to be forgotten is often invoked in cases of online defamation or outdated social media posts. Austrian law also recognizes a specific right to have search results de-listed, similar to the EU Court of Justice's ruling in Google Spain (C-131/12).
One practical difference: in Germany, you often need to approach the state-level data protection authority, which can vary in responsiveness. In Austria, the DSB is a single national authority, making the complaint process more streamlined.
Frequently Asked Questions (FAQ)
1. Can I request deletion of search results about me?
Yes. Under the GDPR, you can ask search engines like Google or Bing to remove links to pages that contain your personal data if the information is inadequate, irrelevant, or excessive. This is often called de-listing (Delisting). However, search engines may refuse if the information is in the public interest (e.g., news about a public figure).
2. How long does the deletion process take?
The data controller must respond within one month. If they agree, deletion should happen promptly. If they refuse, you can file a complaint, which may take several months to resolve.
3. What if the data is held by a public authority?
Public authorities, such as tax offices or registries, must also comply with the GDPR. However, they may have legal obligations to retain data (e.g., tax records for 7 years). In such cases, you cannot force deletion until the retention period ends.
4. Can I request deletion of data on social media?
Yes. Platforms like Facebook, Instagram, and X (formerly Twitter) are data controllers. You can request deletion of your posts, photos, or even your entire account. Note that some data may be retained for security or legal reasons.
5. What if the data controller is outside the EU?
The GDPR applies to any company that offers goods or services to people in the EU or monitors their behavior. If a US-based website targets German users, it must comply with your deletion request. You can file a complaint with your local data protection authority if they refuse.
6. Do I need a lawyer to enforce my right?
Not necessarily. Most requests can be made directly by you. However, if the case is complex (e.g., involving press freedom or multiple jurisdictions), a lawyer specializing in data protection law (Datenschutzrecht) can help. In Germany, legal aid (Prozesskostenhilfe) may be available if you have limited income.
Official Resources
For more detailed information, consult these official sources:
- GDPR (Regulation (EU) 2016/679): EUR-Lex – GDPR full text
- German BDSG (Bundesdatenschutzgesetz): Gesetze im Internet – BDSG
- Austrian DSG (Datenschutzgesetz): RIS – DSG
- German Data Protection Authorities (federal and state): BfDI – List of authorities
- Austrian Data Protection Authority (DSB): DSB – Official website
- European Data Protection Board (EDPB) guidelines: EDPB guidelines
Next Steps
If you believe your personal data is being processed unfairly or you want to remove outdated information, start by identifying the data controller and sending a clear deletion request. If you need personalized guidance tailored to your situation, consider consulting a data protection expert.
Ask about your specific situation ↘
Have a specific situation?