The right to deletion
The right to erasure, officially the “right to deletion”, gives data subjects the right to ask you to erase their personal data. It sounds simple, but in practice it is one of the trickiest rights to handle correctly.
Because the right is not absolute. There are situations where you must delete, situations where you may refuse, and situations where you are even obliged to refuse.
When you must delete
You are obliged to delete data when:
- The data is no longer needed for the purpose for which you collected it. The customer relationship has ended and you have no other purpose.
- The data subject withdraws consent and there is no other legal basis. If you process data based on consent and it is withdrawn, you must delete.
- The data subject objects to processing based on legitimate interest, and your interest does not outweigh theirs.
- The data was processed unlawfully. If you had no valid legal basis for collecting the data.
- A legal obligation requires you to delete.
When you may refuse
You may refuse a deletion request if the data is needed for:
Legal retention obligation
Accounting documents must be retained for 7 years. Personnel files have their own retention periods. As long as a legal retention obligation is in effect, you may not delete.
Exercise of legal claims
If you need the data to pursue a legal dispute or defend against a claim, you may retain it.
Public health
Data needed for reasons of public interest in the area of public health.
Archiving in the public interest
Data kept for archiving, scientific or historical research, or statistical purposes.
Freedom of expression
If deletion would hinder the exercise of the right to freedom of expression and information.
How to handle a deletion request
1. Register and verify
Just like with an access request: register the request, verify the identity, and note the date.
2. Assess per dataset
Check per category of data whether you have grounds to retain:
| Data | Retention obligation? | Action |
|---|---|---|
| Invoices with name/address | Yes (7 years fiscal) | Refuse, explain why |
| CRM notes | No | Delete |
| Email correspondence | Possibly (ongoing dispute) | Assess per case |
| Newsletter address | No (consent withdrawn) | Delete |
| Personnel file | Partially (2-7 years) | Assess per document |
3. Inform third parties
If you have shared the data with other parties (processors, recipients), you must also inform them that the data must be deleted.
4. Respond within one month
Inform the data subject about your decision:
- If deleting: confirm which data you have deleted
- If (partially) refusing: explain which data you are retaining and on what grounds
Template: Deletion Confirmation
Confirm to the data subject which data you have deleted and which parties you have informed.
View the template arrow_forwardTemplate: Deletion Refusal
Substantiate why you (partially) refuse a deletion request, with reference to the legal ground.
View the template arrow_forward5. Document
Record what you have deleted, what you have retained, and why. This is your evidence in case of a complaint.
The pitfall of partial deletion
In practice, the answer to a deletion request is rarely “delete everything” or “delete nothing”. Usually it is: delete part and retain part with a valid reason. That is fine, but communicate it clearly to the data subject.
GDPRWise helps you assess and document deletion requests, including templates for your response.