How to respond to GDPR right to erasure request

So, you received an erasure request, and now you wonder what it means and what you need to do. Or you want to learn more about it because you know that businesses increasingly receive such requests from random users on the internet. Whatever situation you’re in, by the end of this article, you’ll know what to do next.

The General Data Protection Regulation (GDPR) of the European Union equipped internet users with individual rights to defend their data privacy. These rights have also been embedded into national laws—the UK has passed the Data Protection Act 2018 and the UK GDPR, Denmark passed their own Data Protection Act, and so on.

The awareness around personal data privacy has increased in recent years, and as a result, the number of data subject requests has also steadily increased. Many businesses receive these requests and need to learn how to handle them.

In this article, we will dive deep into the following:

• What is the GDPR "right to erasure"?
• When are you obligated to comply with a request to erasure?
• What are the exemptions to the right to erasure?
• Can you refuse to respond for other reasons?
• How to respond to requests for erasure
• What happens if you do not respond to a request for erasure?
• How to ensure lawful and timely response to GDPR requests for erasure
  

What is the GDPR “Right to Erasure”?

The GDPR right to erasure gives individuals the right to request the deletion of parts or all of their personal data that you process. It is widely known as the “right to be forgotten.”

The right to be forgotten is part of the GDPR data subject rights, a key instrument of Privacy by Design principles, which also include the right to access, the right to correct, the right to object, the right to object to being subject to automated decision-making and profiling, the right to data portability, and more.

The right is defined by GDPR Article 17 and Recitals 65 and 66.

It applies only to the personal information you hold at the moment of request, and when a user asks you to erase their data, you need to comply with it in most situations.

Unlike some GDPR individual rights, the right to erasure is not an absolute right, which means that there are situations where you must comply with the requests, but there are some exemptions to the rule where you don’t have to comply with them.

When Are You Obligated to Comply with a Request to Erasure?

You must respond and comply with a deletion request every time no exemption applies, and that’s most situations you’ll face.

Remember that exemptions apply in rare cases and that the general rule exists for a good reason.

Article 17(1) of the GDPR says that you must honor a request to erase data when:

• You don’t need to process the personal data for the purposes for which it has been collected. Let’s say you collected a user’s email to send them a free PDF, but they didn’t consent to have marketing materials sent to them. The data subject submits a data erasure request, claiming that you don’t need the data anymore, and they are right. You need to delete the data immediately.
• The data subject withdraws their consent to the processing of their data. When you rely on the user’s consent for data processing, you can process it as long as they agree. If they withdraw the consent, you cannot process the data anymore, but it doesn’t oblige you to delete it immediately. But if they change their mind and ask you to delete the information, you have no choice but to do so.
• The data subject objects to processing their data, and you have no overriding legitimate interest. Users can object to your processing at any time, and you must comply with that request. On top of that, they can request the erasure of their data. You must eliminate the information unless your rights and freedoms are more important than theirs.
• The individual requests the deletion of personal data processed for direct marketing purposes. A Belgian watchdog agency fined a non-profit organization EUR 1,000 because it didn’t follow people’s requests to stop getting direct marketing messages or to be taken off their list.
  Your legitimate interests let you do direct marketing, but only until someone asks you to stop or delete their information.
• Personal data has been processed unlawfully. Illegally processing data can be done in many ways, such as when there is no valid consent, no other legal basis, no compliant privacy and cookie policy, no retention policy, etc.

What Are the Exemptions from the Right to Erasure?

You don’t have to erase the user’s data in any of the following situations:

• For exercising the right of freedom of expression and information. The right to erasure was not meant to fuel censorship, hence the exemption of the general rule. When the data is part of a news article or other media piece and deleting it would hurt people’s right to freedom of expression, the data controller can say no to the erasure request.
  The Belgian Data Protection Agency has confirmed this stance. They said a media outlet did not have to delete the personal information of a person mentioned in an article.
• For compliance with a legal obligation that requires processing by the law to which the controller is subject, or for the performance of a task carried out in the public interest or the exercise of official authority vested in the controller In most countries, labor and taxation laws require the storage of employees’ data. Laws often require public institutions to keep information about beneficiaries for years.
  This data does not have to be deleted upon request, such as in the case of the District Court of Overijssel, where the court held that the data to be deleted was still crucial for the Child Care and Protection Board to perform its legal duties. As a result, the erasure request has been lawfully refused.
• For processing necessary in the area of public health. If the information is needed to protect public health or for other similar reasons, a request to delete it can be turned down.
• For archiving purposes in the public interest, scientific or historical research, or statistical purposes.

Can You Refuse to Respond for Other Reasons?

Yes, you can refuse an erasure request if it is unfounded or excessive.

The request is unfounded if the intent of the data subject is not to have their data deleted but something else. Some examples of unfounded requests include:

• The user asks for some benefit in return for withdrawing the request.
• They have a grudge against an employee of yours, and they state it.
• The request contains accusations against you or your employees.
• The data subject sends requests regularly and disrupts your processes.

Requests are too many if they are about the same thing as other requests or if they overlap with other requests.

You can refuse unfounded or excessive requests. You still need to respond within one month of receiving it. In the response, explain to the user why the request has been refused.

In the case of doubt, seek legal advice or advice from the supervisory authority.

How to Respond to Requests for Erasure

So, you’ve got a data subject erasure request. What should you do now?

Before explaining the process, it is essential to understand two things:

• It would help if you answered as soon as possible, but no later than a month after getting the request.
• Your response must be free of charge unless it requires a disproportionate effort from your side, which allows you to charge a reasonable fee and possibly extend the deadline. However, these are extreme cases, so you should generally delete the data without charge.

The process is simple. It involves the following steps:

1. Receiving the request for erasure
2. Verifying the user’s identity
3. Clarifying the request
4. Inspecting personal data
5. Deleting personal data

Let’s dive into each step, one at a time. To explain them better, we’ll use an imaginary request for the erasure of an email address.

Step 1: Receiving the Request for Erasure

The GDPR obliges you to determine a method for receiving requests. It also obliges you to receive and accept any data subject request as if it has been submitted according to the designated method.

So, if you have a data subject request form on your website but the data subject submitted the request via email, you need to behave as if they contacted you through the request form.

Once you receive the erasure request, you have to respond to it without undue delay. It is good practice to inform the user that you have received it and that it will be answered within the 30-day deadline. You don’t have to give them any specific receipt for the request. Any piece of communication would do.

Then you can move to the next step.

Step 2: Verifying the User’s Identity

You don’t want to delete the wrong person’s data because that would put you in legal trouble. That’s why you need to verify the data subject’s identity first.

If the user has a user account on your website, they could quickly delete personal information. Moreover, it would be easy for you to confirm their identity through their account.

However, that is not always this easy. Sometimes, verifying a user’s identity requires more effort from your side, so you can ask the data subject to take some reasonable steps to confirm who they are.

For example, deleting their phone number could involve sending them an SMS code. Deletion of an email address could include sending a code via email. You can choose your tools for identity verification depending on the data that needs to be deleted.

In our example, you can assume their identity if they contacted you via the same email address. Or you can send them an email code for better security.

Step 3: Clarifying the Request

In this step, you need to make sure that the erasure request:

• is clear regarding the data to be deleted,
• It is not unfounded or excessive, and
• It should not be refused based on the GDPR exemptions.

If all three are true, continue to step 4.

Step 4: Inspecting Personal Data

Here is where you look at the data to find the exact pieces of personal information you need to delete.

To delete an email address from your CRM, you must log in to your CRM, find the email, and delete it. The same goes for deleting an address from email automation software.

Step 5: Deleting Personal Data

Once you have found the required personal data, you can delete it. It is good practice to inform the data subject about it.

Once you delete the data, inform your data processors about the deletion. You’ll be liable if they keep processing the data you had to delete in case it somehow remained on their servers.

What Happens If You Do Not Respond to a Request for Erasure?

Not conforming to erasure requests means a violation of the GDPR. Violation of the GDPR means penalties.

To give you an idea of what may follow a violation, the procedure goes like this:

• You unlawfully refuse the erasure request or do not respond to it at all.
• The data subject has filed a complaint with the supervisory authority.
• The supervisory authority will investigate the case.
• The supervisory authority will make a decision.
• Both parties have the right to a judicial remedy, which means taking the case to court.

The third step, where the data protection agency investigates the case, is where things could get worse for you. When the DPA investigates a complaint, they do not examine only the data subject’s complaint. They can explore all your data privacy practices.

A complaint for refusing an erasure request may result in a decision that you have declined a request unlawfully, that you do not obtain valid consent, your privacy notice is not compliant, you do not log consent, you do not employ sufficient data security measures, etc. You get the idea.

If you don’t comply with a single request to delete data, the supervisory authorities may look at your company and find many other GDPR violations.

As we mentioned above, GDPR violations mean GDPR penalties. Some companies get away with orders and reprimands, but some pay hefty fines. Here are a few examples to get the big picture:

• The Belgian DPA scolded a company that didn’t delete the personal information of a former client by the deadline of one month;
• The Hungarian Data Protection Authority fined a telecommunications company EUR 28,000 for sending unsolicited emails to data subjects even after they said they didn’t want them and asked them to stop.
• The Greek DPA fined a service provider EUR 5,000 because they didn’t comply with an erasure request. This was because of a technical error that caused a data subject’s data to be duplicated on their servers. An investigation showed that the same error had also affected other data subjects.
• The District Court of Overijssel in the Netherlands told the city of Amelo to get rid of a child’s personal information and also gave the child and his mother EUR 125 each in damages.
• The Spanish AEPD fined a marketing company in Spain EUR 15,000 for sending direct marketing emails even after being asked to stop.
• Carrefour France was fined EUR 2.25 million by the French CNIL for a number of violations, including not responding to requests to delete data. During the investigation, violations were found that had nothing to do with the complaints.
  

How to Ensure Lawful and Timely Response to GDPR Requests for Erasure

Businesses that know how to handle data privacy can quickly delete information when asked to do so.

At a minimum, you should do the following to streamline the process:

• Recognize your data flow. Knowing how your data flows throughout the company’s and processors’ servers can save lots of headaches for your business regarding GDPR compliance. It will also allow you to quickly determine where and how to find the personal data you need to delete.
• We have a DSAR system in place. A data subject access request (DSAR) system allows you to streamline the process of receiving and fulfilling requests related to any GDPR individual right. It helps you get all the information you need in one place to comply without spending too much money on resources.
• Determine a person to handle requests. If you have a data protection officer (DPO), they could do the job. If you don’t have one, determine a person in your team that will receive and respond to the requests. Make sure that this person is trained for the task.
• Seek advice. If you still struggle to understand how to handle requests, seek legal advice or advice from the supervisory authority. The Information Commissioner’s Office (ICO) in the UK, the CNIL, the AEPD, and other data protection agencies are ready to help businesses that want to comply with GDPR.

Book a call today if you would like more information about Secure Privacy and GDPR Cookie Consent compliance, or if you would like our data protection expert to perform a quick 'check-up' of your website, cookie consent banner, or cookie policy. 

Schedule a call to learn more