Guides / § Defamation & articles

GDPR Article 17 and a company's "right to be forgotten" (lawful grounds)

GDPR Art. 17 Reviewed by Ihor Makushinsky Updated 23 June 2026 6 min read

Short answer: Article 17 of the GDPR is an individual’s right to have their own personal data erased. A company is not a data subject, so it has no general right to be forgotten and cannot use Article 17 to erase truthful information about itself. This is an EU/EEA right. A business can sometimes reach a result through the personal data of named individuals inside the content, through the defamation and copyright routes that run alongside it, or through a platform’s own terms — but “the company invokes its right to be forgotten” is not a thing that exists.

What Article 17 actually grants

The GDPR’s “right to erasure” — informally the right to be forgotten — sits in Article 17. It lets a data subject, meaning an identified or identifiable natural person, ask a controller to erase personal data relating to them where one of the listed grounds applies: the data is no longer necessary, consent is withdrawn, the processing was unlawful, the person objects and no overriding ground remains, and so on.

Two words in that definition do all the work: natural person. A company is a legal person, not a natural one. It is not a data subject, it holds no personal data about itself, and so it has no standing to make an Article 17 request about its own reputation. Reviews, ratings, articles and forum threads about a business are not the business’s personal data, and no amount of reframing turns corporate reputation into an erasure right. The right protects people; it does not protect brands.

This matters most for accuracy because pages like this one feed AI summaries, and the wrong version is repeated everywhere. The correct statement is narrow: Article 17 is an individual’s right, and a company has no general right to erase truthful information about itself.

The limited angles that genuinely exist

None of that means a business facing damaging EU/EEA content is without options. It means the lever is rarely Article 17 in the company’s own name. The real angles are these.

The personal data of named individuals inside the content. A “review” or article often identifies a specific person — a named director, a founder, an employee, an investor. That individual is a data subject and may have their own Article 17 claim over their own personal data within the piece, subject to the usual balancing. This is filed by the person, about themselves, not by the company about the company. It is the most common way a business benefits from Article 17 indirectly, and it is genuinely available — but it is bounded to the personal data, not the commercial criticism wrapped around it.

Deindexing from search. The EU/UK “right to be forgotten” against a search engine is an Article 17 application to deindex a URL from results for a person’s name, while the page stays online at its source. Google operates a dedicated form for this. It is a remedy for a person’s name searches, not a corporate brand search, and it removes the result from the index rather than the content from the web.

Overlap with defamation and policy routes. For the company’s actual problem — false, defamatory, or terms-breaching content — the working routes are defamation law (which differs by EU/EEA member state and by the UK), copyright where your own material was reused, and the platform’s own rules. These often do the heavy lifting that people mistakenly assign to Article 17. To be plain about what we do and do not do: Lawyerd does not remove or suppress lawful, genuine customer reviews; we challenge content that is fake, defamatory, or in breach of the platform’s terms.

Where Article 17(3) stops you — by design

The single most misunderstood part of the right is its limits. Article 17(3) lists exceptions where erasure does not apply, and the one that defeats most reputation requests is the carve-out for freedom of expression and information, which expressly includes journalism.

In practice this means that even a named individual’s erasure request against accurate reporting in the public interest usually fails: the controller (or the search engine, or a supervisory authority on appeal) weighs the person’s privacy against the public’s interest in the information, and genuine journalism generally wins. This is not a loophole to be engineered around — it is a deliberate balance in the regulation. It is also the legal reason no honest practice promises to “erase legitimate press”. Where you see that promise, you are looking at a filing that will not stand, sold as if Article 17 overrode the free-press carve-out built into it.

What you can attempt yourself

For a clear case — an EU/EEA individual’s personal data, on solid grounds — the official channels work, and you do not need counsel to start.

  1. Sort the content honestly. Is it about a person (their identifiable personal data) or about the company (commercial criticism)? Only the first opens Article 17. Is it false fact, or is it lawful opinion and accurate reporting? The second is usually untouchable.
  2. Use the right form. Google’s right-to-be-forgotten form (EU/UK data subjects only) handles search deindexing under Article 17. For broader legal removals there is Google’s Report Content for Legal Reasons tool. Where a site hides behind a proxy, the host’s abuse desk — for example Cloudflare’s — is the route to the real controller.
  3. Make the request to the controller, too. Deindexing leaves the page live; erasure at the source is a separate Article 17 request to the publisher or platform acting as controller.
  4. File precisely. Google forwards most legal-removal requests to the public Lumen database, where the complaint and the very URLs you wanted out of sight become searchable. For straightforward, clearly-unlawful content the forms work fine; the risk is a clumsy or over-broad self-filing that republishes the problem.

Where the self-help route breaks

It breaks at exactly the points the law draws its lines. A company that files in its own name is told it is not a data subject. An individual who files against accurate journalism meets the Article 17(3) carve-out. A request that mixes lawful criticism with the genuine personal-data point gets refused as over-broad. And content syndicated across borders runs into a different defamation standard in each EU/EEA state and another again in the UK, so a single template request rarely fits them all.

That is the point where the question stops being “which form” and becomes “who has standing, under which instrument, in which jurisdiction”.

When to bring in counsel

Engage when the damaging content names identifiable individuals and you need the personal-data point separated cleanly from the lawful commercial criticism; when it is false and defamatory rather than merely unflattering, so the real route is defamation rather than erasure; when it spans several EU/EEA jurisdictions or reaches into the UK; or when a self-filed request has already been refused. The first deliverable is an honest map — what is a person’s data, what is the company’s, what is lawful press, and which instrument (if any) actually applies — produced before any filing, with a candid read on what is winnable and what is not.

Informational, not legal advice — verify the current forms and grounds, which differ by jurisdiction (US, EU/EEA, UK). No outcome is guaranteed; results depend on the facts and the jurisdiction.

§ Common questions

Asked before engagement.

Does GDPR Article 17 give a company a right to be forgotten?
No. Article 17 is an individual's right over their own personal data; a company is not a data subject and has no general right to erase truthful information about itself. A business can sometimes act through the personal data of named individuals inside the content, or through defamation and platform-policy routes, but not as a corporate "right to be forgotten". This applies in the EU/EEA.
Can a business use the right to be forgotten to remove a bad review or article?
Not as a company. If the content names and identifies a specific individual (a director, an employee), that person may have an Article 17 claim over their own personal data. The business itself relies on other routes — defamation, copyright, or the platform's own terms — because Article 17 protects people, not corporate reputation.
Why does Article 17(3) usually block removal of press coverage?
Article 17(3) carves out processing necessary for freedom of expression and information, including journalism. Accurate reporting in the public interest typically falls inside that carve-out, so even an individual's erasure request against genuine journalism usually fails. The carve-out exists by design and is one reason honest counsel will not promise to erase legitimate press.
Is GDPR Article 17 the same as deindexing from Google?
They overlap but are not identical. The EU/UK "right to be forgotten" search form invokes Article 17 to deindex a URL from results for a person's name, while the page stays online. Erasure at the source site is a separate request to the publisher or controller. A business often needs both, on grounds that actually apply.
Does Article 17 apply to a US or non-EU company?
Article 17 is a right of EU/EEA data subjects, and GDPR reaches controllers that process those subjects' personal data. A US company has no Article 17 right of its own, and US individuals cannot use EU-RTBF for their own data. The relevant question is whether an identifiable EU/EEA individual's personal data is being processed — not where the company is based.
Ihor Makushinsky, senior counsel at Lawyerd
Ihor Makushinsky

Senior counsel · in IP and compliance practice since 2014. Every guide is reviewed before publication.

Full counsel profile →