GDPR and Your Right to Be Forgotten — A Practical Guide

The General Data Protection Regulation (GDPR) is one of the most powerful privacy laws in the world — and it gives you specific rights over your personal data, including your photographs. If your face appears on a website without your consent, the GDPR can be your most effective tool for getting it removed.

What Is the Right to Erasure?

Article 17 of the GDPR, commonly known as the "Right to Be Forgotten," gives individuals the right to request the deletion of their personal data. Photographs of your face are classified as biometric data under the GDPR — one of the most protected categories of personal data.

This means any website that stores, processes, or displays a recognizable photo of you is handling your personal data and must comply with GDPR requirements.

When Does the Right to Erasure Apply?

You can request erasure when the data is no longer necessary for its original purpose, you withdraw your consent (if consent was the basis for processing), you object to the processing and there are no overriding legitimate grounds, the personal data was unlawfully processed, or the data must be erased to comply with a legal obligation.

For unauthorized photos, the most common grounds are withdrawal of consent (you never gave it in the first place) and unlawful processing (they had no legal basis to publish your photo).

Who Must Comply?

The GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is based. This means a website based in the United States, Asia, or anywhere else must still comply if it serves EU users or processes EU residents' data.

How to Submit a GDPR Erasure Request

Step 1: Identify the Data Controller

The "data controller" is the entity that decides how and why your data is processed. This is typically the website owner. Check their Privacy Policy for their legal name and contact details, or look for a designated Data Protection Officer (DPO) email.

Step 2: Send Your Request

Step 3: Wait for Response (30 Days)

The website must respond within 30 days. They can either comply and confirm deletion, request an extension of up to 60 additional days (for complex cases, with justification), or refuse with a specific legal reason.

Step 4: Escalate If They Don't Comply

If the website ignores your request or refuses without valid grounds, you have several escalation options. File a complaint with your national Data Protection Authority (DPA) — for example, the CNIL in France, the ICO in the UK, or the DPA in Belgium. You can also seek a court order for erasure, or claim compensation for damages caused by the GDPR violation.

Exceptions — When Websites Can Refuse

The right to erasure is not absolute. A website can refuse if the data is necessary for exercising the right of freedom of expression and information (journalism exemption), for compliance with a legal obligation, for reasons of public interest in the area of public health, or for the establishment, exercise, or defense of legal claims.

However, these exceptions rarely apply to unauthorized personal photos on commercial websites, content aggregators, or social media platforms.

Beyond Erasure: Other GDPR Rights

The GDPR gives you additional rights that can complement your erasure request. The Right to Access (Article 15) lets you request all personal data a website holds about you. The Right to Restriction (Article 18) allows you to request that processing be paused while your erasure request is being considered. The Right to Object (Article 21) lets you object to processing based on legitimate interests.