Do I also have to delete backups?

In principle yes, but if deletion from backups is technically impossible or disproportionately difficult, you may leave the data until the backup is overwritten according to the normal schedule. Just make sure the data is not restored during a restore.

What if the data is in a contract?

If you need the data for the performance of an ongoing contract, you may refuse the deletion request for the duration of that contract. After the contract ends, that ground expires and you must delete the data, unless another exception applies.

Can a former employee request deletion of all their data?

A former employee can submit a deletion request, but you don't have to delete everything. Personnel files often have a legal retention obligation (2-7 years depending on the document type). Data without a retention obligation must be deleted.

Right to Erasure - When to Delete, When to Refuse?

A customer asks you to erase their data. Do you always have to comply? The right to erasure has limits. This article explains when you must delete and when you may refuse.

What is the right to erasure?

Under Article 17 of the GDPR, every individual has the right to ask an organisation to erase their personal data. The right is also known as the right to be forgotten, and in practice you will see the same request called a data erasure request or data deletion request, all of which mean the same thing.

This is one of the 8 data subject rights under the GDPR. It sounds simple, but in practice it is one of the trickiest rights to handle correctly, because the right is not absolute. There are situations where you must delete, situations where you may refuse, and situations where you are even obliged to refuse.

In short: you have one month to respond. You must delete when the data is no longer needed, consent is withdrawn, or processing was unlawful. You may refuse when a legal retention obligation, a legal claim, or another GDPR exception applies. Always document the decision and inform any recipients.

Data erasure vs. data deletion: same thing?

Yes. The GDPR uses “erasure” in the official English text, but “data deletion” and “data erasure” are used interchangeably in everyday language and in most national supervisory authority guidance. Both refer to the right under Article 17.

When you must delete

You are obliged to delete data when:

The data is no longer needed for the purpose for which you collected it. The customer relationship has ended and you have no other purpose.
The data subject withdraws consent and there is no other legal basis. If you process data based on consent and it is withdrawn, you must delete.
The data subject objects to processing based on legitimate interest, and your interest does not outweigh theirs.
The data was processed unlawfully. If you had no valid legal basis for collecting the data.
A legal obligation requires you to delete.

When you may refuse

You may refuse a deletion request if the data is needed for:

Legal retention obligation

Accounting documents must be retained for 7 years. Personnel files have their own retention periods. As long as a legal retention obligation is in effect, you may not delete.

Exercise of legal claims

If you need the data to pursue a legal dispute or defend against a claim, you may retain it.

Public health

Data needed for reasons of public interest in the area of public health.

Archiving in the public interest

Data kept for archiving, scientific or historical research, or statistical purposes.

Freedom of expression

If deletion would hinder the exercise of the right to freedom of expression and information.

How to handle a deletion request

1. Register and verify

Just like with an access request: register the request, verify the identity, and note the date.

2. Assess per dataset

Check per category of data whether you have grounds to retain:

Data	Retention obligation?	Action
Invoices with name/address	Yes (7 years fiscal)	Refuse, explain why
CRM notes	No	Delete
Email correspondence	Possibly (ongoing dispute)	Assess per case
Newsletter address	No (consent withdrawn)	Delete
Personnel file	Partially (2-7 years)	Assess per document

3. Inform third parties

If you have shared the data with other parties (processors, recipients), you must also inform them that the data must be deleted.

4. Respond within one month

Inform the data subject about your decision:

If deleting: confirm which data you have deleted
If (partially) refusing: explain which data you are retaining and on what grounds

description

Template: Deletion Confirmation

Confirm to the data subject which data you have deleted and which parties you have informed.

View the template arrow_forward

description

Template: Deletion Refusal

Substantiate why you (partially) refuse a deletion request, with reference to the legal ground.

View the template arrow_forward

5. Document

Record what you have deleted, what you have retained, and why. This is your evidence in case of a complaint.

The pitfall of partial deletion

In practice, the answer to a deletion request is rarely “delete everything” or “delete nothing”. Usually it is: delete part and retain part with a valid reason. That is fine, but communicate it clearly to the data subject.

auto_awesome Handle requests correctly

GDPRWise helps you assess and document deletion requests, including templates for your response.

Start your free scan

Right to Erasure: When Must You Delete Data?