Right to Be Forgotten: GDPR Erasure Requests and How to Handle Them

Bottom Line Up Front

The right to be forgotten under GDPR requires your organization to delete personal data when individuals request it — unless you have a legitimate legal basis to keep it. You’re probably reading this because a customer submitted an erasure request, your legal team flagged GDPR compliance gaps, or you’re building data handling processes that can actually respond to these requests without manual detective work across dozens of systems.

What GDPR Article 17 Actually Requires

The right to erasure (Article 17) gives individuals the power to demand deletion of their personal data under specific circumstances. This isn’t a universal “delete everything” button — GDPR recognizes legitimate business and legal reasons to retain data, but the burden is on your organization to justify retention.

Who Must Comply

Any organization processing personal data of EU residents must handle erasure requests, regardless of where your company is headquartered. This includes SaaS platforms with European customers, e-commerce sites shipping to the EU, and marketing platforms with EU subscribers in their database. Many US companies choose to apply GDPR standards globally rather than maintaining separate data handling processes by geography.

When Erasure Requests Must Be Honored

Individuals can request deletion when:

• The personal data is no longer necessary for the original purpose
• They withdraw consent (for consent-based processing)
• They object to processing and there’s no overriding legitimate interest
• The data was unlawfully processed
• Deletion is required for legal compliance
• The data was collected from a child

When You Can Refuse Erasure Requests

You can retain data for:

• Freedom of expression and information
• Legal obligations (tax records, employment law requirements)
• Public interest (public health, historical research)
• Legal claims (ongoing litigation, warranty obligations)
• Consent to processing special category data (in some circumstances)

Response Timeline and Penalties

You have 30 days to respond to erasure requests, extendable by two months for complex cases. Fines can reach 4% of annual global revenue or €20 million, whichever is higher. More practically, poor data handling damages customer trust and creates operational chaos during busy periods.

Scoping Your Erasure Response Process

Mapping Your Data Landscape

Start with a data flow diagram showing where personal data enters, moves through, and exits your systems. Most organizations discover data in unexpected places: application logs, backup systems, analytics platforms, customer support tickets, and third-party integrations.

Your erasure scope includes:

• Production databases (customer records, transaction history)
• Analytics platforms (user behavior tracking, marketing attribution)
• Backup and archive systems (often the most challenging to address)
• Third-party processors (CRM, email marketing, support tools)
• Application logs (containing IP addresses, user IDs, session data)

The Vendor Data Challenge

When you share personal data with processors, you remain responsible for ensuring erasure across the entire data ecosystem. Your vendor contracts should specify:

• How processors handle erasure requests
• Response timeframes for data deletion
• Technical methods for confirming deletion
• Handling of data in backups and archives

Document which vendors can delete data via API, which require manual requests, and which maintain retention periods that might conflict with erasure obligations.

Scope Reduction Strategies

Data minimization reduces your erasure burden. Collect only necessary data, implement automatic purging for expired records, and avoid storing personal data in logs where deletion is technically complex. Use pseudonymization or anonymization where possible — truly anonymous data falls outside GDPR scope.

Separate personal data from operational data in your database design. When customer account data lives alongside transaction metadata, erasure becomes significantly more complex.

Implementation Roadmap

Phase 1: Gap Assessment and Current State Analysis

Map your existing data handling capabilities. Most organizations can identify customer records in their primary database but struggle with data scattered across analytics tools, support systems, and application logs.

Audit your backup and recovery processes. Many companies can delete production data quickly but maintain personal information in nightly backups for months or years. Document your backup retention schedule and identify whether you can selectively restore systems without the erased data.

Test your vendor relationships. Submit test erasure requests to key processors to understand their actual response times and deletion capabilities. Some vendors claim GDPR compliance but require complex manual processes for data deletion.

Phase 2: Policy and Procedure Development

Develop an erasure request handling procedure that defines:

• How customers submit requests (email, support portal, dedicated form)
• Identity verification requirements before processing
• Internal escalation for complex cases
• Communication templates for confirmations and refusals
• Documentation requirements for audit purposes

Create data retention schedules that specify how long you keep different categories of personal data and the legal basis for each retention period. This framework helps you evaluate erasure requests consistently.

Draft customer-facing communications explaining your erasure process, typical response times, and what data might be retained for legal compliance. Transparency builds trust and reduces follow-up inquiries.

Phase 3: Technical Control Implementation

Centralize personal data identification. Implement unique customer identifiers that allow you to locate related data across systems. Consider tagging personal data at ingestion to simplify future erasure operations.

Build automated erasure workflows where possible. APIs that can delete customer records, purge related analytics events, and trigger downstream deletions in integrated systems reduce manual effort and human error.

Address the backup challenge. Options include:

• Shorter backup retention periods
• Incremental backup strategies that don’t perpetually retain old data
• Backup systems that support selective deletion
• Overwriting backup media on a defined schedule

For application logs containing personal data, implement log rotation policies that automatically purge old entries, or move to structured logging that separates personal identifiers from operational data.

Phase 4: Evidence Collection and Process Validation

Document your erasure handling process with:

• Request logs showing receipt, processing, and completion of erasure requests
• System screenshots or database queries proving data deletion
• Vendor confirmations of downstream data deletion
• Legal basis documentation for any retained data

Test your process with internal erasure requests to identify gaps before handling real customer requests. Time each step to ensure you can meet the 30-day response requirement even during high-volume periods.

Implementation Timeline

Startup (50-200 employees): 2-4 months

• Simpler data architecture speeds implementation
• Limited vendor integrations reduce complexity
• Focus on core customer database and key SaaS tools

Mid-market (200-1000 employees): 4-6 months

• More complex data flows across departments
• Legacy systems may lack modern data management features
• Requires cross-functional coordination between teams

Enterprise (1000+ employees): 6-12 months

• Multiple data centers, complex backup systems
• Extensive third-party integrations
• Regulatory and legal review processes

Team Involvement

Legal counsel defines retention requirements and reviews refusal justifications. Engineering teams implement technical deletion capabilities. Customer support handles request intake and customer communications. Data protection officer (if required) oversees the entire process and ensures regulatory compliance.

The Ongoing Erasure Management Process

Handling Different Request Types

Simple erasure requests involve active customers deleting their accounts. These should be largely automated through your standard account deletion process.

Complex requests include former customers whose data spans multiple systems, requests involving ongoing legal obligations, or situations where erasure conflicts with other legitimate interests.

Partial erasure requests ask for deletion of specific data categories while maintaining the customer relationship. Your systems should support granular data deletion beyond all-or-nothing account closure.

Identity Verification

Establish identity verification procedures to prevent unauthorized erasure requests. For existing customers, email confirmation to the registered account may suffice. Former customers might need to provide additional identifying information.

Document your verification process and ensure it’s proportional to the sensitivity of the data involved. Overly complex verification creates barriers for legitimate requests, while insufficient verification creates security risks.

Managing Refusals

When refusing erasure requests, provide specific legal justifications rather than generic responses. Common legitimate grounds include:

• Tax record retention requirements
• Ongoing warranty or support obligations
• Fraud prevention and detection
• Legal claims or litigation holds

Explain what data you’re retaining, why retention is necessary, and any time limits that apply. Inform individuals of their right to complain to supervisory authorities if they disagree with your decision.

Common Failures and How to Avoid Them

The “We’ll Delete Everything” Trap

Failure: Assuming you must delete all personal data when requested.
Reality: GDPR recognizes legitimate business needs for data retention.
Prevention: Document legal basis for data processing and retention schedules before requests arrive.

The Backup Blindspot

Failure: Deleting production data while maintaining copies in backup systems indefinitely.
Reality: Personal data in backups still falls under GDPR obligations.
Prevention: Implement backup strategies that support data deletion or shorter retention periods.

The Vendor Black Box

Failure: Assuming vendors handle erasure automatically without verification.
Reality: Many processors require manual coordination for data deletion.
Prevention: Test vendor erasure capabilities and document actual procedures in your contracts.

The Log Data Oversight

Failure: Forgetting personal data stored in application logs, analytics platforms, and operational systems.
Reality: IP addresses, user IDs, and session data in logs constitute personal information.
Prevention: Audit all systems that might contain personal data, not just obvious customer databases.

The 30-Day Deadline Miss

Failure: Underestimating the time required for complex erasure requests.
Reality: Coordinating deletion across multiple systems and vendors takes significant effort.
Prevention: Build buffer time into your process and communicate early if extensions are needed.

FAQ

What constitutes a valid erasure request?
Any clear request from a data subject asking for deletion of their personal data, submitted through any communication channel. The request doesn’t need to reference “Article 17” or use specific legal language — “please delete my account and data” suffices.

Can we charge fees for processing erasure requests?
Generally no. GDPR prohibits fees for erasure requests unless they’re “manifestly unfounded or excessive,” particularly if repetitive. The threshold for charging fees is extremely high and requires careful legal justification.

How do we handle erasure requests for deceased individuals?
GDPR doesn’t directly address deceased persons, but many EU member states have implemented national laws extending data protection rights to deceased individuals’ families or representatives. Check the specific requirements in jurisdictions where you operate.

What if we can’t delete data from backups immediately?
Document your backup retention schedule and deletion procedures. As long as you have a reasonable timeline for removing personal data from backups (typically within your normal backup rotation cycle), this generally satisfies GDPR requirements if immediate deletion isn’t technically feasible.

Do we need to notify other parties when we delete someone’s data?
If you’ve shared the personal data with other processors, you must inform them about the erasure request “taking into account available technology and the cost of implementation.” This typically means notifying vendors and processors who received the data from you.

How do we document compliance with erasure requests?
Maintain logs showing request receipt, processing steps taken, systems accessed for deletion, vendor notifications sent, and completion confirmation. This documentation proves compliance during regulatory investigations or audits while being careful not to retain personal data unnecessarily in your compliance records.

Building Sustainable Erasure Processes

The right to be forgotten isn’t just a compliance checkbox — it’s an operational capability that demonstrates respect for customer privacy and builds competitive advantage in privacy-conscious markets. Organizations that implement thoughtful erasure processes often discover opportunities to streamline their overall data management practices.

Start with data architecture decisions that make erasure easier rather than retrofitting deletion capabilities onto systems designed for permanent retention. Consider personal data lifecycle from collection through deletion when evaluating new tools and integrations.

Focus on automation where possible but maintain human oversight for complex cases. The goal is handling routine requests efficiently while escalating nuanced situations that require legal or business judgment.

Your erasure response process reflects your organization’s broader approach to data stewardship. Companies that get this right find themselves better positioned for other privacy regulations, more efficient in their data operations, and more trusted by customers who value privacy rights.

SecureSystems.com helps organizations build practical GDPR compliance programs that work in real-world business environments. Our privacy and security consultants guide you through data mapping, erasure process implementation, and vendor management strategies that satisfy regulatory requirements without disrupting business operations. Whether you’re handling your first erasure request or scaling privacy operations for growth, we provide clear timelines, technical implementation support, and ongoing compliance guidance tailored to your industry and technology stack. Book a free privacy assessment to understand exactly where your erasure capabilities stand today.