Sometimes called the "Right to be Forgotten" (a coinage from the Google Spain case at the Court of Justice of the European Union), the right to erasure allows a data subject to require that an organization delete their personal data. Under GDPR Article 17, it applies when the data is no longer necessary for the purpose collected, when consent has been withdrawn, when the subject objects and there is no overriding legitimate interest, or when the processing was unlawful.
Crucially, the right is not absolute. Organizations may retain personal data when needed for legal obligations (e.g. tax records, anti-fraud), exercise of legal claims, freedom of expression, archiving in the public interest, or scientific research subject to appropriate safeguards. Documenting which exception applies — and retaining only the minimum data required — is what distinguishes a defensible position from a refusal.
Operationally, an erasure request is harder than an access request. Where access only requires reading, erasure requires verified deletion across every store that holds the data — primary systems, backups, replicas, derived analytics, downstream third parties. A clean erasure workflow is one of the strongest signals of mature privacy engineering.