Under what circumstances can someone request the Right to Erasure under GDPR?

The Right to Erasure , often called the "Right to be Forgotten", gives individuals the ability to request the removal of their personal data under certain conditions. These situations include: The data is no longer needed for the purpose it was initially collected or processed. The processing of the data was unlawful. Deletion is required to meet a legal obligation. The data was gathered from a child in the context of providing information society services. Organizations are responsible for carefully evaluating each request. They must ensure it aligns with legal requirements while also considering other responsibilities, such as maintaining records or addressing matters of public interest.

Right to Erasure: GDPR Compliance Steps

Q: How can organizations ensure complete data deletion, including backups and third-party systems?

To thoroughly remove data, organizations can implement data anonymization or cryptographic erasure for their backups while enforcing strict data retention policies. Conducting regular audits and closely managing vendors helps confirm that data is fully erased across internal systems and any third-party platforms. Backups should also be set up to ensure deleted data cannot be recovered. Clear, well-documented procedures for processing deletion requests should be shared with all third-party systems. These steps not only help meet GDPR requirements but also reinforce user trust by prioritizing their privacy.

The Reform Team

The Right to Erasure, or the "right to be forgotten", under GDPR gives individuals control over their personal data by allowing them to request its deletion. However, this right isn’t absolute and applies under specific conditions, such as when the data is no longer needed, consent is withdrawn, or the processing violates legal guidelines. Organizations must respond within one month and ensure compliance through clear policies, data mapping, and secure deletion processes.

Key Takeaways:

When It Applies: Data is unnecessary, consent is withdrawn, or processing was unlawful.
Exemptions: Legal obligations, public interest, or legal claims may prevent deletion.
Steps for Compliance:
- Map and document all data processing activities.
- Develop an internal erasure policy with clear protocols.
- Verify requests carefully to prevent errors or breaches.
- Ensure deletion across all systems, including backups and third-party processors.
- Maintain detailed records of all actions taken.

Why It Matters: Beyond avoiding fines, respecting erasure requests builds trust and demonstrates responsible data management. Clear communication with individuals and regular audits of deletion processes are vital for efficient compliance.

Creating an Internal Erasure Policy

Having a clear internal erasure policy is a must for GDPR compliance. Without one, organizations often struggle to handle erasure requests efficiently, potentially falling short of legal obligations. A well-thought-out policy ensures your team knows exactly how to respond when someone asks for their personal data to be deleted.

"An erasure concept defines in a systematic and standardised way how personal data, in a company, are deleted when their retention period has expired."

The starting point for an effective erasure policy is understanding your data: what you have, where it’s stored, and who manages it. Taking a methodical approach transforms what could be a chaotic process into a smooth, efficient workflow that protects both your organization and individual privacy rights.

Mapping Data Processing Activities

To delete data effectively, you first need a clear picture of the personal information your organization collects and processes. This is where data mapping comes in - it’s the foundation for GDPR compliance and helps you handle erasure requests with confidence.

Begin with a thorough audit of your data across all departments. Marketing, sales, customer service, HR, and IT all manage different types of personal data, from contact details to employee records. By involving every department, you’ll ensure no data flow is overlooked.

Your mapping process should identify data sources such as websites, mobile apps, CRM systems, and marketing tools. Document the types of personal data collected - like names, email addresses, phone numbers, and IP addresses - and trace how this information moves within your organization and to third-party processors, such as cloud providers or payment platforms.

Creating a Record of Processing Activities (RoPA), as required by GDPR Article 30, is a smart move. This document acts as a roadmap, showing where personal data is stored and how it’s processed. When someone requests their data to be deleted, you’ll know exactly where to look and what systems to address.

Don’t forget to include data retention periods in your mapping exercise. Different types of data are subject to varying legal retention requirements, so understanding these timelines is critical. This step will help you build realistic timelines for data deletion and establish clear methods for removing each category of data.

Setting Up an Erasure Protocol

Once you’ve mapped out your data, the next step is to craft a detailed protocol for handling erasure requests. This protocol should include erasure classes, which group data types by their sensitivity and retention needs.

"An internal erasure policy should include erasure classes with data types, erasure periods, and the protection requirement of the data to be erased."

Each erasure class should specify the data it covers, the level of protection required, and the appropriate deletion method. For example, highly sensitive data might require secure deletion methods with extra safeguards, while less sensitive data could be removed using standard procedures.

Your protocol should also outline clear timelines for each step of the erasure process. While GDPR allows up to one month to respond to requests, it’s a good idea to set internal deadlines that are shorter. This gives your team time to verify requests, locate data, and complete the deletion process.

Verification is a key part of the process. Define how to confirm the identity of the requester and what information they need to provide. This ensures data is only deleted after proper verification, while still keeping the process accessible for legitimate requests.

Establish rules for how and when data should be deleted. These rules should cover all storage systems, backups, and third-party integrations. True deletion means removing data not just from active systems but also from backups and any copies held by external partners.

For instance, settlement documents may need to be retained for 10 years after the end of a business relationship. These should be reviewed annually and securely destroyed - both physical and digital versions - once the retention period ends. With these protocols in place, assign specific roles to your team to ensure the process runs smoothly.

Assigning Team Responsibilities

A solid erasure policy relies on clear roles and accountability. Multiple team members should be involved to ensure proper oversight and reduce the risk of mistakes.

Set up an approval process that includes key roles, such as a technical expert in data deletion, a Data Protection Officer (DPO) to oversee compliance, and a supervisor for final approval. The DPO plays a central role, monitoring how personal data is processed and advising employees on their GDPR responsibilities. They’re also the main point of contact for data protection authorities and individuals submitting requests.

If your organization doesn’t have a formal DPO, assign these responsibilities to trained team members. For example, someone from your legal or compliance department can handle regulatory oversight, while IT staff manage the technical aspects of deletion.

Training is critical for everyone involved. Make sure team members understand both the technical steps and the legal implications of data deletion. Regular training sessions will help your team stay updated as systems and regulations evolve.

A coordinated approach - where IT handles technical tasks and the DPO oversees legal compliance - ensures a smooth, compliant erasure process. Document every erasure action, including who performed it, when it happened, what data was deleted, and any challenges encountered. This documentation not only serves as proof of compliance but also helps refine your processes over time.

Finally, review and update your erasure policy regularly. As your organization grows and new data processing activities arise, periodic reviews will ensure your policy stays effective and aligned with current regulations.

To simplify these processes, tools like Reform can be a big help. Reform’s no-code form builder includes features like data validation and secure handling, making it easier to manage personal information from collection to deletion. With clear roles, detailed protocols, and the right tools, your team will be equipped to handle erasure requests efficiently and confidently.

How to Process Erasure Requests

Handling an erasure request involves three key steps: verifying identity, deleting data, and communicating outcomes. Each step must align with legal obligations and practical considerations to ensure compliance and efficiency.

The clock starts ticking as soon as the request is received. Organizations must respond within one month, though an extension of up to two additional months is allowed for complex cases. However, the individual must be informed of any delay and the reasons behind it within the first month. To avoid last-minute issues, it's wise to set internal deadlines shorter than these legal limits.

Verifying the Request

Before proceeding, confirming the requester's identity is crucial to prevent unauthorized deletions or data breaches. This step requires a careful balance: thorough enough to protect sensitive information, but not so demanding that it discourages valid requests.

The GDPR (Recital 64) advises:

"The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers."

Begin with basic checks, such as verifying usernames or passwords linked to the account. The ICO's Right of Access Guidance also emphasizes:

"You should also not request formal identification documents unless necessary. First you should think about other reasonable and proportionate ways you can verify an individual's identity. You may already have verification measures in place which you can use, for example a username and password."

If further verification is needed, use details you already have, like recent transactions or account activity, before asking for formal documents. Adjust the level of scrutiny based on the sensitivity of the data. For instance, highly sensitive information may require stricter verification compared to basic contact details.

For third-party requests, confirm their authority to act on behalf of the individual. If photo identification is required, handle it securely and destroy it immediately after verification to reduce privacy risks. Keep a record of your decision-making process to show that you took reasonable measures to protect personal data.

Finding and Deleting Data

Once identity is verified, the next step is locating and removing the individual's personal data from all systems. Use your data map to identify where the data resides - databases, CRM systems, cloud platforms, backups, or temporary storage.

Tagging data (e.g., using a "Forgotten_flag") can streamline the process, making it easier to locate and track the erasure. This tagging also creates an audit trail for compliance purposes.

Backup systems often pose unique challenges. Erasing data from active systems isn't enough if copies remain in backups. In such cases, restore the necessary snapshots, delete the data, and create new backups to ensure complete removal.

The method of deletion should match the sensitivity of the data. Physical deletion permanently removes data, while logical deletion (e.g., access controls or masking) makes it inaccessible. For highly sensitive information, physical deletion with secure wiping methods is the safest approach to prevent recovery.

To simplify maintenance, consider scheduling deletion processes, such as performing physical deletions every 25–30 days. Before final deletion, create a restricted backup to retain for an agreed-upon period. This can act as a safeguard against disputes or legal challenges while still respecting the erasure request.

Keep detailed records of each step: which systems were checked, what data was deleted, who performed the task, and when it occurred. This documentation not only demonstrates compliance but also helps refine your process for future requests.

Finally, notify the individual about the completed erasure.

Responding to the Data Subject

Clear communication throughout the process builds trust and highlights your dedication to data protection. Acknowledge receipt of the request promptly, outlining the next steps and expected timelines. This initial response reassures the individual that their request is being handled and sets realistic expectations.

For more complex cases involving multiple systems or third parties, provide regular updates. Even a simple progress update shows transparency and ongoing attention to the request.

Once the erasure is complete, send a detailed notification explaining what data was deleted and where it was removed from, including backups and third-party processors. Transparency here helps the individual understand the scope of the erasure and reinforces confidence in your process.

If you're unable to fulfill all or part of the request, clearly explain the reasons - such as legal obligations to retain certain records - and inform the individual of their right to escalate the issue to supervisory authorities or pursue legal action.

Document all related communications, including timestamps, content, and any actions taken in response to follow-ups. These records serve as proof of compliance and can help identify areas for process improvement.

For organizations using tools like Reform to collect personal data, ensure your erasure process includes all data gathered through forms and integrations. Tools with secure data handling features can simplify compliance, but coordination across all connected systems is essential.

sbb-itb-5f36581

Using Tools for Efficient Compliance

Modern technology has made GDPR compliance easier by automating processes like handling erasure requests. Using reliable tools alongside your internal protocols can create a smoother and more secure workflow. Platforms like form builders and data management systems are designed to process erasure requests effectively while adhering to security standards. Let’s take a closer look at how Reform simplifies this process.

Managing Requests with Reform

Reform

Reform uses multi-step forms to gather erasure requests efficiently. Its conditional routing feature tailors the form experience based on user responses, ensuring all necessary details for identity verification and processing are captured.

To combat fraudulent requests, Reform includes spam prevention measures. Its real-time analytics dashboard gives teams a clear view of incoming requests, helping them monitor response times and spot potential delays. Additionally, the platform’s email validation ensures the accuracy of contact details right from the start, reducing verification issues.

The lead enrichment feature cross-references submitted data with existing records, making it easier to locate and confirm the identity of the data subject within your systems.

Once requests are collected, automated workflows take over to streamline the compliance process.

Setting Up Compliance Workflows

Reform integrates seamlessly with popular CRM and marketing tools like HubSpot and Salesforce. This allows erasure requests to automatically trigger predefined workflows, covering both verification and deletion steps.

The platform also tracks abandoned submissions, ensuring incomplete erasure requests don’t go unnoticed. Follow-up communications can guide users to finish their requests, improving overall compliance efficiency.

Organizations can customize forms with their own branding using custom CSS and JavaScript. A well-designed, branded interface builds trust with users and encourages them to provide complete and accurate information.

Reform’s headless forms feature makes it easy to integrate with existing compliance systems. This means you can enhance your current workflows with Reform’s advanced data collection and validation capabilities without overhauling your setup.

Implementing Secure Data Deletion

While Reform handles the intake and initial processing of requests, secure data deletion requires coordination across all systems containing personal data. Reform’s integrations ensure that deletion commands are sent to all connected systems simultaneously.

For permanent removal, physical deletion overwrites data to make it unrecoverable. Logical deletion, which uses techniques like access controls or data masking, can act as an interim solution until physical deletion is scheduled. This approach removes data from active use while allowing for complete removal during planned system updates.

For especially sensitive information, secure wiping protocols provide an added layer of protection.

It’s important to regularly audit your compliance tools to ensure they meet current GDPR standards. Quarterly reviews of your form collection processes, workflows, and deletion procedures can help identify areas that need adjustment.

"The GDPR deletion concept strengthens user trust and data security by prescribing clear deadlines and rights for data deletion."

Automating deletion schedules based on data retention policies is another way to stay compliant. Reform’s integration features can trigger these scheduled deletions across all systems, ensuring consistency in applying your policies.

Finally, document all configurations and integration settings as part of your compliance records. This not only supports your GDPR efforts but also serves as evidence of your commitment to regulatory standards during audits or reviews.

Legal Requirements and Documentation

Understanding legal obligations is essential for staying compliant and keeping accurate records. GDPR Article 17 outlines the responsibilities for data deletion while also detailing specific exceptions that require careful documentation and justification.

Exceptions to the Right to Erasure

Under GDPR Article 17, there are situations where erasure requests can be denied. These include instances where data processing is necessary for freedom of expression, fulfilling legal obligations, tasks in the public interest (like archiving or research), or for establishing, exercising, or defending legal claims. When denying a request, it’s important to inform the data subject of the reasons and their right to appeal. Properly documenting and justifying the reliance on any of these exceptions is critical.

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay" – GDPR Article 17

The term "undue delay" typically means about a month to respond to erasure requests, whether approving or refusing them. Quick evaluations are essential to meet this timeline and maintain compliance.

These exceptions also play a role in managing obligations tied to third-party relationships.

Third-Party Contract Requirements

When handling erasure requests, controllers must address how third parties process shared data. GDPR requires contracts with processors to ensure they assist controllers in fulfilling data subject rights, including erasure. If personal data has been shared with other organizations, controllers must notify those parties about the erasure request unless doing so would be disproportionate.

Contracts with data processors should include clear terms about erasure-related obligations, such as compliance deadlines and responsibilities for notifying sub-processors. Controllers remain accountable for ensuring processors follow documented instructions and provide adequate safeguards for data subject rights. Regular audits can confirm that processors have the necessary technical and organizational measures in place to handle erasure requests effectively.

Once external obligations are managed, the focus shifts to maintaining accurate internal records.

Keeping Compliance Records

Accurate record keeping is essential for demonstrating compliance. GDPR Article 30 requires organizations to document their data processing activities thoroughly, especially those with over 250 employees. Keeping detailed logs of erasure requests ensures transparency and audit readiness.

Your Data Processing Inventory should include key information such as the identities of the controller, processor, and DPO; processing purposes and legal bases; data categories; access permissions; data transfers; retention limits; and security measures. For erasure requests, logs should capture the request date, verification steps, data locations, deletion methods, and third-party notifications. If a request is denied, document the specific legal exception applied and the reasoning behind it.

Regular audits of IT systems, updated data retention policies, and well-organized data flows improve efficiency in managing erasure requests while keeping documentation up to date. Comprehensive record keeping under GDPR - covering all processes, records, and accountability measures - provides a solid framework for maintaining compliance across all aspects of data protection.

Implementing the Right to Erasure doesn’t have to be complicated. Start with an information audit to understand what data you process, where it’s stored, and who has access to it. Train your team to recognize and properly handle erasure requests, whether they arrive via email, phone, or online forms. Using technology to integrate these processes can make everything far more efficient.

For example, tools like Reform's form builder can simplify the process by creating dedicated request forms that collect all necessary details, including identity verification. This structured approach reduces unnecessary back-and-forth communication and speeds up response times.

Strong compliance systems do more than just help you avoid fines - they strengthen customer trust. Be transparent about how you handle data. Commit to never selling customer information and deleting it when it’s no longer needed. Empower users by giving them clear, straightforward options regarding their personal data.

To stay on track, document every step of the process. Record each request, verification details, data locations, and actions taken to delete the data. If a request is denied due to legal exceptions, ensure you document the reasoning and inform the individual of their right to appeal. This thorough documentation not only demonstrates your compliance during audits but also reassures customers about your data handling practices.

The Right to Erasure isn’t just about meeting legal requirements - it’s an opportunity to show your dedication to privacy. By embracing clear processes and leveraging technology, you can protect customer data, build trust, and make GDPR compliance a smoother journey.

FAQs

The Right to Erasure, often called the "Right to be Forgotten", gives individuals the ability to request the removal of their personal data under certain conditions. These situations include:

The data is no longer needed for the purpose it was initially collected or processed.
The processing of the data was unlawful.
Deletion is required to meet a legal obligation.
The data was gathered from a child in the context of providing information society services.

Organizations are responsible for carefully evaluating each request. They must ensure it aligns with legal requirements while also considering other responsibilities, such as maintaining records or addressing matters of public interest.

How can organizations ensure complete data deletion, including backups and third-party systems?

To thoroughly remove data, organizations can implement data anonymization or cryptographic erasure for their backups while enforcing strict data retention policies. Conducting regular audits and closely managing vendors helps confirm that data is fully erased across internal systems and any third-party platforms.

Backups should also be set up to ensure deleted data cannot be recovered. Clear, well-documented procedures for processing deletion requests should be shared with all third-party systems. These steps not only help meet GDPR requirements but also reinforce user trust by prioritizing their privacy.

What should an organization do if it needs to deny a request to erase data due to legal obligations or exceptions?

Under the GDPR, organizations have the right to deny a data erasure request if certain exceptions apply. For instance, data can be retained if it’s required to meet legal obligations, assert or defend against legal claims, or exercise legal rights, as stated in GDPR Article 17(3).

When rejecting such a request, it’s crucial to clearly explain the reason to the individual while ensuring the decision adheres to GDPR rules. Additionally, documenting the rationale behind the denial is essential to show compliance, especially in the event of audits or disputes.