What Is GDPR Article 17?

GDPR Article 17 gives EU residents a right to request that any organization processing their personal data erase it when: the data is no longer necessary for the purpose it was collected; consent was withdrawn and no other legal basis applies; the data was unlawfully processed; or erasure is required by law. For intimate imagery of EU residents hosted on EU-regulated platforms, Article 17 provides a complementary pathway to removal alongside national NCII laws. Most major platforms operating in the EU have established GDPR erasure request processes. Responses are required within 30 days — slower than the 48-hour U.S. TAKE IT DOWN Act mandate but covering a broader range of content types.

Key facts about this term

1. Article 17 covers personal data broadly, not just intimate imagery GDPR Article 17 applies to any personal data processed without legal basis — including photographs, identifying information, and intimate imagery. It is broader than NCII-specific law.
2. EU platforms must respond within 30 days GDPR erasure requests must receive a substantive response within 30 days, extendable by two months for complex cases. Non-compliance can trigger GDPR enforcement action and significant fines.
3. Article 17 can complement Section 223a notices for international content For intimate imagery hosted on EU-regulated platforms, filing both a Section 223a notice (for U.S. law) and a GDPR Article 17 request may maximize removal speed and legal coverage.