01.04.2026
Gernot Fritz, Fabian Duschnig
The right to erasure under Article 17 GDPR is one of the most prominent and practically relevant data subject rights. At the same time, the question has long been raised how far this right extends – in particular, whether it not only covers the deletion of already processed data but may also serve as a basis for injunctive relief against future processing.
This question has been answered inconsistently in the past. National courts have in some instances adopted a functionally broader interpretation, treating the right to erasure as a basis for claims seeking to prohibit further processing. With the judgment of the Court of Justice of the European Union (CJEU) in case C-655/23 (Quirin Privatbank AG), there is now a clarification at EU level that fundamentally reshapes this discussion.
Starting point: Broad interpretation by national courts
The starting point of the discussion was the consideration that the right to erasure is of limited practical effectiveness if the data processing in question can be resumed at any time. Against this background, both the German Federal Court of Justice (VI ZR 489/19) and the Austrian Administrative Court (Ra 2021/04/0022) have, in part, interpreted Article 17 GDPR as giving rise directly to a claim for injunctive relief.
What these decisions have in common is a functional understanding of the right to erasure: the removal of unlawfully processed data should not be viewed in isolation, but in connection with the prevention of further similar processing activities. The aim is to ensure effective protection of the data subject.
The underlying idea was one of effective fundamental rights protection: the mere act of erasure falls short if the underlying processing continues or can be resumed at any time.
The CJEU draws a line
With its decision in Case C-655/23, however, the CJEU has clearly rejected this broad interpretation. According to its regulatory content, Article 17 GDPR is directed at the erasure of personal data that has already been processed. A further claim aimed at prohibiting future processing cannot be derived directly from this provision.
This classification follows the structure of the GDPR, which provides for different instruments serving different objectives. While Article 17 GDPR aims at eliminating existing data processing, other mechanisms (such as supervisory measures or civil law claims) address the control of future conduct.
At the same time, the CJEU expressly emphasizes that EU law does not preclude national claims for injunctive relief. Whether and under what conditions such claims exist is a matter of the respective national legal system.
Consequences for previous case law
Against this background, the previous decisions of the German Federal Court of Justice and the Austrian Administrative Court can no longer be upheld in their original reasoning. To the extent that they derive injunctive relief directly from Article 17 GDPR, they are in conflict with the clarification now provided by the CJEU.
However, this does not necessarily mean that injunctive claims are excluded as such. Such claims may still exist—but no longer directly under the GDPR, only on the basis of national legal provisions.
The response of Austrian case law
This distinction is also reflected in more recent Austrian case law. The Federal Administrative Court has clarified (W258 2242389-1) that the right to erasure is directed at the removal of specifically processed data and does not encompass any further claim to prohibit future processing.
The case concerned a request to remove search results that appeared when entering the complainant’s name and referred to a media report. The search engine operator refused to de-reference the results, and the Data Protection Authority rejected the complaint on the grounds of a prevailing public interest in information. In the proceedings before the Federal Administrative Court, however, it emerged that a large part of the contested links was no longer accessible, so that the decision focused on a single remaining result. To the extent that content was no longer accessible, the request for erasure was considered fulfilled.
The court clarified that search engine operators are to be regarded as independent controllers within the meaning of the GDPR and that their activity constitutes processing of personal data, typically based on Article 6(1)(f) GDPR, which requires a balancing of interests.
With regard to the remaining search result, the court conducted a balancing of interests. It took into account, in particular, the distorted presentation, the lack of public figure status, the passage of time, and specific negative effects for the complainant. In the overall assessment, the complainant’s interests prevailed, so that the continued display was classified as unlawful processing and erasure was ordered.
In doing so, the Federal Administrative Court consistently follows the line of the CJEU: the claim ends with the erasure of data already processed and does not extend to the control of the controller’s future conduct.
Injunctive relief under Austrian administrative law
Under Austrian administrative procedural law, the Data Protection Authority may, in certain constellations, issue a so-called “mandate decision” (Mandatsbescheid) in order to provisionally prohibit the continuation of data processing where there is urgency. Such a measure may also be requested in complaint proceedings, provided that there is a substantial and immediate risk to the data subject’s legitimate confidentiality interests.
In addition, within the scope of its supervisory powers, the Data Protection Authority has far-reaching intervention powers. In particular, pursuant to Article 58(2)(f) GDPR, it may impose a temporary or definitive limitation including a ban on processing personal data. These measures are taken within the framework of ex officio or supervisory proceedings and do not establish a subjective right that a data subject could directly enforce by way of complaint proceedings.
Civil law injunctive claims
Against this background, civil law gains in importance. In Austria, data protection violations are regularly qualified as infringements of the general right of personality under Section 16 of the Austrian Civil Code.
On this basis, claims for injunctive relief may also be considered. However, this presupposes that the relevant civil law requirements are met. In the context of interim relief, Section 381(2) of the Enforcement Act is particularly relevant, which requires a concrete risk situation.
This means that an injunctive claim is not excluded, but it is subject to significantly stricter requirements than the mere assertion of a right to erasure under Article 17 GDPR.
In practice, such claims will therefore only succeed in selected constellations; namely where there are concrete indications of renewed or continued processing and where such processing is likely to result in a significant impairment of the data subject.
Practical assessment
The CJEU’s decision primarily brings clarity. As recent Austrian case law demonstrates, it puts an end to the tendency to extend Article 17 GDPR beyond its wording and refocuses on the structure of the Regulation.
At the same time, however, it leads to greater fragmentation of enforcement. While the right to erasure is harmonized under EU law, the question of injunctive relief will in the future depend on national law.
This creates additional complexity for companies being active internationally. Not only the lawfulness of processing, but also enforcement mechanisms and legal consequences are increasingly diverging across jurisdictions.
Conclusion
With its decision, the CJEU has drawn a clear line: Article 17 GDPR establishes a right to erasure – not a right to injunctive relief.
This calls into question a widespread practice that functionally linked erasure and injunction. Going forward, a clear distinction must be made: the GDPR governs the elimination of existing processing, while preventive injunctive claims can only arise under national law.
For practice, this has two key implications. On the one hand, the importance of robust erasure processes increases, as they form the core of the EU law claim. On the other hand, civil law enforcement gains relevance when it comes to preventing future processing. This distinction is operationally decisive.
We are happy to assist you in developing a robust defense strategy and embedding it in clear, practical processes.
