GDPR Right to Erasure: How to Get Your Photos Removed

The GDPR right to erasure (also known as the “right to be forgotten”) gives individuals in the European Union and European Economic Area the legal right to demand that organizations delete their personal data — including photos and videos published without consent. If your intimate images, personal photos, or facial data appear on a website without your authorization, the GDPR provides one of the strongest legal frameworks in the world for forcing their removal.

This guide explains when the right to erasure applies to photos, how to file an erasure request step by step, what to do if the website refuses, and how this right compares to other legal tools like the DMCA and the Take It Down Act.

In this guide:

• What Is the GDPR Right to Erasure?
• When Does It Apply to Photos?
• What You Need Before Filing
• How to File a GDPR Erasure Request — Step by Step
• How Privacy Leak Simplifies This Process
• Common Problems and How to Solve Them
• FAQ
• Key Takeaways

What Is the GDPR Right to Erasure?

The right to erasure is defined in Article 17 of the GDPR — the European Union’s General Data Protection Regulation. It gives individuals the right to request that any organization holding their personal data delete it, provided certain conditions are met.

For photos, this is powerful. Under the GDPR, a photograph of an identifiable person is personal data. A facial image is biometric data when processed for identification purposes — which receives even higher protection under the regulation. This means any website that publishes a recognizable photo of you is processing your personal data, and you have the right to request its deletion.

The key difference from the DMCA: the GDPR doesn’t require you to own the copyright to the photo. Even if someone else took the picture, you have the right to request erasure of your personal data (your face, your likeness) from that image. This makes the GDPR particularly useful for victims of revenge porn, where the perpetrator often holds the copyright.

Organizations must respond to erasure requests within one calendar month. If they fail to comply, you can file a complaint with your national Data Protection Authority (DPA), which can impose fines of up to 4% of the organization’s annual global turnover or 20 million euros — whichever is higher.

When Does It Apply to Photos?

The GDPR right to erasure applies to photos in these situations:

The photo was published without your consent. If you never gave permission for the image to be published — or if you withdrew your consent — you have grounds for erasure.

The photo is no longer necessary for its original purpose. If a photo was published for a legitimate purpose that no longer applies (e.g., a former employer’s website still displaying your headshot), you can request its removal.

The data is being processed unlawfully. Any photo published in violation of law — revenge porn, non-consensual intimate images, stolen content — qualifies for erasure under unlawful processing grounds.

You object to the processing. Under Article 21, you can object to the processing of your personal data. If the website has no overriding legitimate interest, they must delete it.

Important limitation: The right to erasure doesn’t apply in all cases. Exceptions include data needed for exercising the right of freedom of expression and information, legal compliance, public health purposes, archiving in the public interest, or defending legal claims. Journalism and artistic expression may also be exempt under some national implementations.

Geographic scope: The GDPR applies to any organization that processes the personal data of individuals in the EU/EEA — regardless of where the organization is based. A website hosted in the U.S. that has users in the EU must comply with GDPR erasure requests from those users.

What You Need Before Filing

Confirm you qualify. You must be located in the EU/EEA, or the data processing must relate to offering goods/services to EU/EEA residents or monitoring their behavior.

Identify the data controller. The “data controller” is the organization responsible for the data. For a website, this is typically the site operator. Check the site’s privacy policy or GDPR page for their data controller details and Data Protection Officer (DPO) contact.

Gather the specific URLs. Collect the exact URLs where your photos appear. Screenshots with timestamps are helpful as supplementary evidence.

Prepare your identity verification. Websites may ask you to verify your identity before processing an erasure request. Have a government-issued ID ready, though you should redact sensitive details (ID number, address) and only provide what’s strictly necessary for identification.

Document the legal basis. Know which ground you’re relying on: lack of consent, unlawful processing, withdrawal of consent, or objection to processing. For intimate images published without consent, “unlawful processing” is usually the strongest ground.

How to File a GDPR Erasure Request — Step by Step

Step 1: Find the right contact

Check the website’s privacy policy for their Data Protection Officer (DPO) or GDPR contact email. If there’s no privacy policy (common with small or anonymous adult sites), look for any contact information — an email address, a contact form, or WHOIS registration data.

Step 2: Draft your erasure request

Your request should include:

• Your identification. Your name and enough information for them to find your data (the URLs where your photos appear).
• Clear statement of request. Explicitly state you are exercising your right to erasure under Article 17 of the GDPR.
• Legal basis. Specify which condition applies (e.g., “The data is being processed without my consent” or “The processing is unlawful”).
• Specific content to be removed. List every URL where your photos appear.
• Response deadline. State that you expect a response within one calendar month as required by Article 12(3) of the GDPR.

Step 3: Send the request

Email your erasure request to the DPO or privacy contact. Use a clear subject line like “GDPR Article 17 — Right to Erasure Request.” Keep a copy with the date and time sent.

Step 4: Wait for the response

The organization has one calendar month to respond. They must either confirm deletion, explain why they’re refusing (citing a valid exception), or request an extension of up to two additional months for complex requests.

Step 5: If they don’t comply — escalate

If the website ignores your request or refuses without valid grounds:

File a complaint with your national DPA. Every EU/EEA country has a Data Protection Authority that handles GDPR complaints. Find yours at the European Data Protection Board’s list of authorities. Filing a complaint is free.

Escalate through hosting infrastructure. Similar to DMCA escalation, if the website itself won’t comply, contact their hosting provider, CDN, or domain registrar — many of which are based in the EU and subject to GDPR obligations.

Consider legal action. Under Article 79 of the GDPR, you have the right to bring legal proceedings against the data controller. This can be done in the courts of the EU member state where the controller is established or where you reside.

How Privacy Leak Simplifies This Process

Filing GDPR erasure requests yourself requires identifying every website hosting your photos, finding each site’s DPO contact, drafting individual requests, tracking responses, and escalating non-compliance. For content that appears on dozens of sites, this becomes a full-time job.

Privacy Leak streamlines both sides of this process:

Finding all copies. The facial recognition scan identifies every indexed platform where your face appears — including sites in jurisdictions where GDPR applies and sites you’d never find manually.

Handling removal. Privacy Leak’s Legal Takedown Service files through the appropriate legal channel for each site — DMCA for copyright-based claims, GDPR erasure requests for EU-applicable sites, and Take It Down Act notices for non-consensual intimate imagery. They act as your legal proxy, keeping your identity hidden from platforms. Most content is removed within 24–72 hours.

→ Try a free scan at privacyleak.ai

Common Problems and How to Solve Them

“The website has no privacy policy or DPO contact.” Many small or anonymous adult sites don’t comply with GDPR’s transparency requirements — but they’re still subject to the law. Use WHOIS to find the hosting provider and send your erasure request there. Hosting providers in the EU take GDPR seriously.

“The website is outside the EU.” The GDPR applies to any organization processing EU residents’ data, regardless of location. However, enforcement against non-EU websites is harder in practice. In these cases, combine your GDPR request with a DMCA notice or Take It Down Act request for stronger coverage.

“They asked for excessive identity verification.” Websites can request identity verification, but they cannot demand more information than is strictly necessary. You should not need to provide your full home address, financial details, or an unredacted copy of your ID. If they’re demanding excessive data, file a complaint with your DPA.

“They claim a journalism or free expression exemption.” Some websites may argue that publishing your photos falls under freedom of expression or journalism exemptions. For non-consensual intimate images, this argument almost never holds up — DPAs and courts have consistently ruled that privacy rights outweigh alleged journalistic interest in such cases.

“The one-month deadline passed with no response.” File a complaint with your national DPA immediately. Include your original request, proof of sending, and evidence that the deadline has passed. DPAs can impose significant fines for failure to respond.

FAQ

What is the GDPR right to erasure?

The right to erasure (Article 17 of the GDPR) gives individuals the right to request that organizations delete their personal data when certain conditions are met — such as lack of consent, unlawful processing, or withdrawal of consent. Photos of identifiable people are personal data under the GDPR.

Does the GDPR right to erasure apply to photos?

Yes. A photo of an identifiable person is personal data under the GDPR. If published without consent or processed unlawfully, you can request its erasure. Crucially, you don’t need to own the copyright — unlike DMCA, the GDPR protects your personal data rights regardless of who took the photo.

Who can use the GDPR right to erasure?

Anyone whose personal data is being processed by an organization subject to the GDPR. This primarily applies to EU/EEA residents, but also covers anyone whose data is processed in connection with offering goods or services to EU residents or monitoring their behavior.

How long does a website have to respond to an erasure request?

One calendar month from receiving the request. They can extend by up to two additional months for complex requests, but must notify you of the extension within the first month. If they miss the deadline, file a complaint with your national DPA.

What’s the difference between GDPR erasure and DMCA takedown?

DMCA requires copyright ownership — you must own the photo to file. GDPR protects your personal data regardless of copyright. DMCA is a U.S. law; GDPR covers EU/EEA. DMCA requires your real name (exposed to the platform); GDPR requests can be more private. For comprehensive protection, use both where applicable.

Can I use GDPR to remove photos from adult sites?

Yes. Any website processing personal data of EU residents must comply with GDPR, regardless of the site’s content type or hosting location. Non-consensual intimate images on adult sites are clear cases of unlawful processing. In practice, enforcement is easier against sites with EU-based infrastructure.

What if the website ignores my GDPR request?

File a complaint with your national Data Protection Authority (DPA). DPAs can investigate, issue enforcement orders, and impose fines of up to 4% of the organization’s annual global turnover or 20 million euros. You also have the right to bring legal proceedings under Article 79.

How does Privacy Leak help with GDPR-based removal?

Privacy Leak’s facial recognition scan finds where your photos appear across the web. The Legal Takedown Service then files through the appropriate legal channel for each site — GDPR erasure for EU-applicable sites, DMCA for copyright claims, and Take It Down Act for intimate images — acting as your legal proxy to keep your identity hidden.

Key Takeaways

• The GDPR right to erasure lets you demand deletion of your photos from any website that processes EU residents’ data — even if you don’t own the copyright.
• Photos of identifiable people are personal data. Non-consensual intimate images are unlawful processing — the strongest ground for erasure.
• Websites must respond within one calendar month. Non-compliance can be reported to your national DPA, which can impose fines up to 4% of global turnover.
• For maximum coverage, combine GDPR with DMCA and Take It Down Act requests — each covers different legal grounds and jurisdictions.
• Privacy Leak finds all copies through facial recognition and files through the correct legal channel for each site, keeping your identity hidden.

→ Start your free scan at privacyleak.ai

Related Articles

• DMCA Takedown Request: Step-by-Step Guide to Remove Your Photos — copyright-based removal for U.S. law
• Leaked Intimate Photos: How to Find Them and Get Them Removed — pillar page covering all discovery and removal paths