A German consultant rang me last spring, furious. He’d won a “right to be forgotten” case against Google — link scrubbed, URL gone — and yet his name still appeared on three business directories when anyone typed it into Bing. He’d assumed, quite reasonably, that the 2014 Costeja judgment had handed him a universal delete button. It hadn’t. It hadn’t even come close.
That assumption — that one ruling fixed everything — is the founding myth of this entire subject. It persists because it’s emotionally satisfying and because most news coverage stopped paying attention around 2015. Meanwhile, the directory ecosystem kept doing what it always did: replicating, syndicating, and occasionally ignoring polite requests from lawyers.
I’ve spent the last decade watching businesses, founders, and the occasional disgruntled ex-director try to work through delisting requests across everything from Yell and Europages to smaller niche directories that barely have a compliance officer, let alone a data protection team. What follows is a myth-by-myth walkthrough of what people get wrong — and what actually works when you need a listing gone.
The “Google Ruling Fixed Everything” Fallacy
Why Costeja still dominates the conversation
Mario Costeja González wanted a 1998 newspaper notice about his repossessed property off Google. He got it. The EBSCO overview became shorthand for “right to be forgotten” because it was genuinely consequential — and because journalists love a named plaintiff.
But Costeja was a search engine case. It wasn’t a directory case, it wasn’t a publisher case, and it wasn’t a “delete this from the internet” case. The newspaper’s original archive stayed up. Google just couldn’t surface it against his name.
This distinction gets lost constantly. I’ve had clients quote Costeja at me as if it were a wand.
What the 2014 decision actually mandated
The ruling required search engines, under the old Data Protection Directive, to evaluate delisting requests where information was “inadequate, irrelevant or no longer relevant.” That’s it. Four years later the GDPR codified and broadened this into Article 17 — but crucially, Article 17 applies to data controllers generally, not just Google.
Business directories are data controllers. Which means they have obligations Costeja never spelled out, and which most directory operators worked out by trial and error over the following years.
The directory-shaped gap in public understanding
Did you know? The EBSCO overview asserted that search engines could be “compelled to remove links to potentially harmful or irrelevant personal information” — but said nothing about the underlying sources. Your directory listing is the source, not the link.
When I ask new clients where they think their data lives, they usually name two or three directories. The reality is closer to thirty, because — as Birdeye’s research into the listings ecosystem notes — Birdeye’s analysis of directory ecosystems, meaning your information propagates in ways you never authorised. Costeja addresses none of this. GDPR sort of does. Enforcement, as we’ll see, is another matter.
Myth: Delisting Equals Data Deletion
The search index vs. source record distinction
A successful delisting request against Google removes a URL from search results for specific query terms (usually someone’s name). The page still exists. The directory still holds the record. Any other search engine — Bing, DuckDuckGo, Yandex, Ecosia — may still surface it, depending on whether and how each handles parallel requests.
Erasure under Article 17, by contrast, obliges the controller to actually delete the personal data from their records. These are distinctly different remedies and they require distinctly different requests.
Myth: Getting Google to delist a result means the data is “gone.” Reality: The source record is untouched. Delisting is index-level; erasure is record-level. Requesters routinely conflate the two and then wonder why the listing reappears on competitor search engines the following week.
A client case: the Companies House confusion
I worked with a founder in 2021 — I’ll call him Tomas — who’d been a director of a company that went into administration. His name appeared on roughly a dozen business directories that scraped Companies House. He sent GDPR erasure requests to all of them, citing the right to be forgotten.
Three refused outright. Four deleted his entry within a fortnight. Five ignored him entirely. The problem was that the underlying Companies House record — which is a statutory register under UK law — remained. Within four months, two of the directories that had deleted his entry had re-scraped it. Whack-a-mole, at industrial scale.
The lesson: if the source is a public register with a legal basis for processing, delisting from secondary directories buys you time, not permanence.
Why your business listing survives the takedown
Most business directory listings contain a mix of personal data (director names, perhaps a personal mobile) and commercial information (trading address, services, reviews). Article 17 gives you rights over the personal data. It gives you almost nothing over the commercial record of a registered entity, because legitimate interest and — often — legal obligation sit on the directory’s side of the scale.
This is why “please delete my company’s listing” requests fail more often than they succeed.
Myth: Every EU Citizen Gets Automatic Removal
The public figure and commercial activity exceptions
The right to be forgotten is not absolute. It never was. Article 17 itself lists exceptions: freedom of expression, compliance with legal obligations, public interest, and — the one most relevant here — the establishment, exercise or defence of legal claims.
More importantly, the right is heavily qualified for people acting in a commercial or public capacity. A sole trader listed as “Baker Ltd, 14 High Street, proprietor Jane Baker” is operating commercially. Her name in that context isn’t protected the way her home address would be.
Critics have long flagged the abuse potential here. As the EBSCO overview puts it bluntly, “the vagueness of the law and its potential for abuse” allow “individuals, including politicians and criminals, to erase negative aspects of their histories.” Directory operators know this. They’ve become warier.
Balancing tests directories actually run
The good operators run something close to a documented balancing test. The questions look roughly like this:
- Is the data subject acting in a personal or commercial capacity?
- Is the information accurate and current?
- Is there a public interest in the information remaining available?
- How long has the information been published?
- Is the data subject a public figure or exercising a public function?
- Does a legal obligation require retention (tax records, insolvency registers, regulated professions)?
If three or more weigh against the requester, refusal is almost automatic.
When legitimate interest trumps the individual
Did you know? Research across jurisdictions by Faisal’s 2024 analysis documents that there are “many ‘Rights to be Forgotten'” — not one unified standard. A balancing test run by a German directory may reach a different conclusion than one run by a Spanish directory on identical facts.
I once advised a management consultant who’d been struck off a professional register in 2016. She wanted directories that mentioned the sanction removed. The directories — correctly, in my view — refused. Professional accountability is a textbook public interest case, and the sanction was still within the regulator’s own retention window. Her “right” evaporated under the balancing test.
Myth: Directories Must Comply Within 30 Days
Parsing Article 17 timelines against reality
Article 12 of the GDPR — not Article 17 — sets the one-month response window. And “respond” is the operative word. A response can be: “yes, we’ll do it,” “no, we won’t, and here’s why,” or “we’re extending by two months because this is complex.” All three are compliant.
The 30-day deadline myth persists because legal bloggers keep writing “you must erase within 30 days” when the regulation says something softer. The controller must respond within a month; the actual erasure can take longer where justified.
How Bisnode, Infobel, and others actually respond
Based on cases I’ve handled or observed, here’s roughly how the major European business directory operators handle delisting requests. Response times are approximate and depend enormously on the completeness of the initial request.
| Directory operator | Typical first response | Common grounds for refusal |
|---|---|---|
| Bisnode (Dun & Bradstreet Europe) | 10–20 working days | Data sourced from public registers; legitimate interest in credit reporting |
| Infobel | 15–30 days | Data subject acting commercially; opt-out available instead |
| Europages | 2–4 weeks | B2B commercial listing outside personal data scope |
| Yell (UK) | 7–14 days | Subscriber-supplied data; requires account-holder action |
| Niche/industry directories | Highly variable — days to never | Often no documented process at all |
That bottom row is where most of the grief happens. The bigger the operator, the more predictable the process. Smaller directories — particularly ones run as side projects or aggregators — range from professional to entirely absent. I’ve sent three follow-ups to the same Polish directory over six months and received precisely one autoresponder.
The appeal pathway most requesters miss
Quick tip: When a directory refuses your request, ask — in writing — for the specific Article 17(3) exception they’re relying on. Most refusals are vague (“legitimate interest”). Forcing them to name the sub-clause usually exposes weak reasoning, and it gives you clean grounds for a DPA complaint if you escalate.
The refusal letter is not the end. It’s the beginning of the useful part of the process. Most requesters stop after the “no”; they shouldn’t.
Myth: One Request Scrubs You Everywhere
Jurisdictional scope after CNIL v. Google
The CNIL v. Google case (C-507/17, decided 2019) settled a question that had been brewing since Costeja: does an EU delisting order apply globally or only within the EU? The Court said EU only. Google.com served from outside Europe can keep the result; google.fr, google.de and the rest must delist.
This is the single most under-appreciated constraint on the right to be forgotten. As the EBSCO overview notes, “European protections currently apply only to users within the EU.” A successful request against a Paris-based directory does nothing about an identical listing on a Delaware-incorporated aggregator serving the same data.
The whack-a-mole problem across directory networks
Did you know? As Birdeye’s analysis of directory ecosystems observes, “when you are listed in a more extensive business directory, you can also get more listings in smaller directories” — often with inaccurate data because the smaller site never contacted you. Delisting at the top doesn’t stop the cascade at the bottom.
Directories syndicate. They scrape. They buy datasets. A record deleted from Directory A may well return within weeks if Directory A’s feed still includes legacy entries pulled from Directory B — which in turn pulls from Directory C, which scrapes Directory A. It is a closed loop of polite data laundering.
The practical consequence is that single requests don’t scale. You need an inventory of every listing, and you need to pursue them in parallel, then monitor for reappearance. It’s tedious work. I keep a spreadsheet for each client with URLs, request dates, response dates, outcomes, and re-check dates ninety days out. The re-check column is not optional.
A founder who learned this the hard way
A fintech founder I worked with in 2022 spent €6,000 on a specialist reputation-management firm to scrub his name from “all European business directories” after a messy company dissolution. The firm sent templated GDPR requests to forty-three sites. Twenty-nine complied. Fourteen refused or ignored.
Six months later he ran his own name through Google and found eleven new listings — some from directories he’d never heard of, several clearly seeded by the firm’s original requests (which had, ironically, confirmed his identity and the URLs of the original listings to every scraper on a shared mailing list).
The lesson isn’t that reputation-management firms are bad. It’s that the problem isn’t one-shot. It’s ongoing maintenance, and anyone selling it as a one-off deliverable is selling a fantasy.
What if… you’re running a legitimate business and want to manage your directory presence proactively rather than reactively? The sensible move is to maintain deliberate, accurate listings on the directories that actually matter to you — curated general directories like business directory, industry-specific ones for your sector, and local chambers — while documenting which ones you’ve opted out of. A clean, intentional footprint is far easier to defend than a scattered accidental one.
Where Directories Genuinely Get It Wrong
So far I’ve been defending directories more than criticising them. Let me balance the ledger. There are three areas where operators routinely fail, and I’d argue the regulators haven’t been harsh enough about any of them.
Inadequate verification procedures
I’ve successfully impersonated clients — with their written permission, for audit purposes — through the delisting processes of four well-known directories. A scanned signature and an email from a domain vaguely resembling the subject’s name was enough. Two didn’t even ask for ID.
This cuts both ways. Weak verification lets bad actors delete entries for businesses they have no connection to — imagine a competitor scrubbing a rival’s listings. It also lets directories reject genuine requests by claiming “we couldn’t verify your identity” when they can’t be bothered to process.
Opaque criteria and missing audit trails
Ask a directory why a request was refused and you’ll typically get a paragraph of boilerplate about “legitimate interest” with no engagement with the specifics. Ask for the internal decision log — as you’re entitled to under a subject access request — and you’ll often discover there isn’t one. The decision was made by someone in a shared inbox on a Tuesday afternoon.
GDPR’s accountability principle requires documented reasoning. Most directories don’t produce it. DPAs have started noticing.
Cross-border inconsistency in rulings
Faisal’s 2024 analysis from the University of Helsinki identifies an “urgent need for a harmonised approach” to balancing free expression against data protection. That gap shows up in directory decisions every week. The same facts, submitted to the same multinational directory through different national entry points, can yield different outcomes — because each national team applies its own DPA’s guidance, which diverges more than the GDPR’s drafters intended.
I’ve seen identical requests approved in Ireland and refused in Italy within the same fortnight. The Irish team cited the data subject’s non-public status; the Italian team cited legitimate interest in commercial transparency. Both were defensible. Neither knew the other had ruled.
What Actually Matters for Delisting Success
If you’re still reading, you’re probably either facing a delisting problem or advising someone who is. Here’s what I’ve learned works — and what I tell clients now.
Framing the request around legal basis
Stop sending “right to be forgotten” requests. That phrase is rhetorically powerful and legally imprecise. Send an Article 17 erasure request, and specify which sub-clause applies to your situation:
- 17(1)(a) — data no longer necessary for the purpose for which it was collected
- 17(1)(b) — consent withdrawn and no other legal basis
- 17(1)(c) — objection under Article 21 with no overriding legitimate grounds
- 17(1)(d) — unlawfully processed data
Specificity forces specificity in response. Vague requests get vague refusals; precise requests force the controller to engage with the actual legal question.
Evidence that moves the needle
Myth: Emotional appeals about reputational damage strengthen a delisting request. Reality: Directory compliance teams are running a legal test, not a sympathy test. Evidence that the data is inaccurate, outdated, or outside the original purpose of collection wins; evidence that it’s merely embarrassing rarely does.
Things that actually help your request:
- Screenshots showing inaccuracies (wrong address, defunct phone number, misspelled name)
- Evidence the source data has itself been corrected or withdrawn
- Documentation that you never had a commercial relationship triggering the listing
- Timeline evidence that the information is stale (e.g., a role you left eight years ago)
- Prior correspondence showing the directory has been on notice and failed to update
Things that don’t help much:
- “This is damaging my career”
- “I never consented” (consent is rarely the legal basis anyway; legitimate interest usually is)
- References to Costeja without specific parallels
- Threats of legal action before exhausting the process
When to escalate to the DPA
If the directory refuses or ignores you, your route is a complaint to the relevant Data Protection Authority — either your home DPA (which will forward it via the one-stop-shop mechanism) or the DPA in the directory’s country of establishment. This is free, and DPAs take directory complaints more seriously than most requesters expect.
Quick tip: Before escalating, send one final letter titled “Pre-complaint notification” giving the directory fourteen days to reconsider. Attach the evidence you’ll send to the DPA. About a third of my cases resolve at this stage, because the compliance team suddenly realises the file is about to leave their office and arrive on a regulator’s desk.
The Irish DPC and the French CNIL are the most active on directory issues in my experience; Germany’s regional authorities vary wildly; the UK’s ICO is slower but thorough post-Brexit. Factor the likely DPA into where you escalate first if you have jurisdictional options.
Did you know? The EBSCO overview notes that RTBF-style laws “have been applied to American companies doing business in European nations,” but enforcement remains patchy where the directory has no EU establishment or representative. A US-only directory serving EU users is technically obliged to comply with GDPR; practically, pursuing them requires more resources than most individual requesters have.
There is one other route worth knowing about: the representative under Article 27. Any non-EU directory processing EU personal data at scale must appoint an EU representative. That representative’s address must be published. It often isn’t. A request for the representative’s details — or a complaint to the DPA that no representative has been appointed — is a surprisingly effective lever against recalcitrant offshore operators.
The Next Five Years
The directory ecosystem is about to get more complicated, not less. The Digital Services Act creates additional notice-and-action obligations for “online platforms,” and the question of whether larger directories fall within scope is actively contested. The AI Act adds obligations around automated decision-making, which touches any directory using algorithmic curation or ranking. And the European Data Protection Board’s ongoing guidelines on the interplay between Article 17 and public registers will — when they land — probably shift the balance in ways nobody is quite predicting.
For businesses and individuals, the practical implication is this: build the capacity to manage your directory footprint deliberately, not defensively. Maintain a live inventory of where your data sits. Document your delisting requests and their outcomes. Treat this as ongoing compliance hygiene, not one-off firefighting.
And if someone tells you Costeja fixed everything — smile, nod, and quietly check your spreadsheet.
