Can a request be refused?

Yes, in limited cases: when retention is required by law (e.g., 7-year tax records for invoices issued), for the establishment or defence of legal claims, or when processing is necessary for public interest tasks. The controller must document the refusal and explain it to the data subject.

Does it apply to backup data?

Yes, but with a reasonable timeline — backup data must be erased in the next routine restore-and-purge cycle, typically 30-90 days. The controller must document the backup-deletion process so an audit can verify compliance.

Home › Glossary › Right to Be Forgotten

Compliance

Right to Be Forgotten — Plain English Definition + Examples

Right to Be Forgotten is the legal right of a data subject to require a controller to delete their personal data — subject to limited exceptions such as legal obligation, public interest, or vital interest.

Definition

The right to be forgotten (GDPR Article 17, 'right to erasure') is the legal right of a data subject to require a controller to delete their personal data — subject to limited exceptions such as legal obligation, public interest, or vital interest.

In day-to-day European MICE and procurement work, right to be forgotten sits inside a broader workflow that includes the brief, the longlist, the shortlist, the contract negotiation, and the post-event reconciliation. Understanding it in isolation is not enough — what matters is how it interacts with the other levers a planner or procurement team can pull. The definition above is the textbook version; the sections below explain how it actually behaves in real sourcing.

Why Right to Be Forgotten matters

Erasure requests are increasing year-over-year as data subjects become aware of their rights. A MICE buyer (controller) must respond within 30 days, including instructing all processors (hotels, AV vendors, catering subcontractors) to delete the same data. Without a documented process, this becomes a fire drill every time.

The practical takeaway: planners and procurement teams who get right to be forgotten right typically see measurable improvements in either cost, risk exposure, or cycle time — sometimes all three. Teams who default to the supplier's standard language usually leave 5-15% of total event value on the table, often without realizing it. The skill is recognising right to be forgotten when it appears, knowing the market-standard range, and treating any deviation from that range as a negotiation point — not a take-it-or-leave-it.

Example

A conference attendee from 2024 sends an erasure request to the event organiser. The organiser deletes its records and instructs the hotel and catering subcontractor (both Art. 28 processors) to do the same. All three confirm deletion within 28 days; the organiser sends written confirmation to the data subject.

This example is representative of mid-to-large European corporate MICE — pharma, finance, tech, professional services. Smaller events (under 50 attendees) and very large events (1,000+) often follow different conventions, but the underlying logic of right to be forgotten stays the same. The numbers move, the principle doesn't.

Where Right to Be Forgotten appears in contracts

The DPA must require the processor (hotel) to assist with erasure requests, including providing written confirmation of deletion. The MSA should specify the timeline (typically 14 days from controller instruction to processor confirmation), so the controller can meet the 30-day GDPR deadline.

When reviewing a hotel proposal or contract draft, scan for right to be forgotten early — it's often easier to negotiate before the supplier has anchored on their preferred position. Easy RFP surfaces these terms in every comparison view so planners can spot deviations from market-standard ranges at a glance, rather than reading 14-page proposals line by line.

Related terms

Deeper reading

Related guides on the blog

Put this into practice

Easy RFP builds right to be forgotten thinking into every hotel RFP — so you negotiate from data, not from memory.

Operationalise data rights →