A person showing a computer screen with a message about successful deletion of personal data

What is GDPR? Part 6 – Right to erasure

FAQ

How users can ask to have their data deleted

The GDPR gives individuals strong rights over their personal data. One of the most famous and powerful is the Right to Erasure, also known as the Right to be Forgotten.

This right allows people to ask you to delete their personal data. And in many cases, you must say yes.

Knowing when and how to honor a deletion request is essential for GDPR compliance.

🧠 What is the Right to Erasure?

The Right to Erasure (GDPR Article 17) means individuals can request the deletion of their personal data when:

  • The data is no longer needed for the original purpose
  • The user withdraws consent
  • The user objects to processing and there are no overriding legitimate reasons to keep it
  • The data was unlawfully processed
  • The data must be deleted to comply with a legal obligation

📋 When do you have to delete the data?

If one of the above conditions applies, you must erase the personal data without unnecessary delay.

This includes deleting:

  • Active records in your system
  • Archived copies and backups (where feasible)
  • Data shared with third parties (you must also inform them)

You cannot simply keep the data hidden or deactivated. True deletion is required.

🚫 When can you refuse a deletion request?

You may refuse to erase data if:

  • You need it to comply with a legal obligation (for example, tax records)
  • You need it to establish, exercise, or defend legal claims
  • You are processing it for certain public interest reasons (such as health or research)

Even then, you must clearly explain why you are keeping the data.

📬 Real-world examples

  • Customer account deletion: If a user asks you to delete their account and you no longer need their data for billing or legal purposes, you must delete it.

  • Marketing opt-out: If a newsletter subscriber withdraws consent and requests full deletion, you must remove them from all marketing systems.

  • Backup considerations: If deletion from active systems is immediate, but deletion from backups is delayed by technical limitations, you must still ensure the backup will eventually be cleaned.

⚠️ Important rules to remember

  • You must make it easy for users to request deletion.
  • You must respond within one month.
  • You cannot charge a fee unless the request is clearly unfounded or excessive.
  • You must take reasonable steps to notify third parties if you shared the data.

The Right to Erasure is about control

The Right to Erasure is a reminder that personal data belongs to the individual, not the company.

Respecting deletion requests is not just about avoiding fines. It is about building a company that treats personal data with the care and respect it deserves.

ToolHive helps you track data sources, manage consent withdrawals, and stay GDPR compliant. Start your free trial today and take control of your compliance processes.