Right to erasure

Appropriate procedures for verifying identity often already exist in the organisation. The controller may have verified the identity of the data subject, for example, before concluding the contract or requesting consent for the processing of personal data. In this case, the identity can be confirmed by comparing the data of the person who made the request with data already in the controller’s possession regarding the data subject. The request for additional information shall not lead to the collection of irrelevant or unnecessary personal data.

The controller is obliged to facilitate the exercise of the data subject’s rights. Confirmation of identity must not lead to difficulties in the exercise of rights. For example, the controller cannot, as a rule, demand that a request be made on site at the controller’s office. The use of identity cards to verify identity must be carefully considered. Primarily, the identity should be confirmed by other means.

The methods of confirming identity must also take into account the different situations of the data subjects: for example, the possibilities of older people or persons in a vulnerable position to visit an organisation’s office or use electronic systems may be limited. Children also have the right to access information concerning them, but they may not have the tools needed for electronic identification. In other words, the controller must assess how it is able to take different people into account and implement their rights as comprehensively as possible.

Establish internal procedures which define clear processing steps and deadlines for requests and keep those procedures up to date.

Assign responsibilities for handling and documenting erasure requests within your organisation.

Map the personal data and its storage locations in your organisation’s systems with the help of a record of processing activities. This way, you can get a clear picture of which data should be erased on request and where those data are located.

Larger organisations in particular may find it useful to apply for certifications to demonstrate compliance with globally established ISO standards. These include the ISO/IEC 27001 standard, which contains recommendations for the organisation’s information security management, risks and control, and the ISO 9001 standard, which contains requirements for building and developing the organisation’s quality management system. Even if your organisation will not apply for certification, standards can be good source material for additional internal guidelines and the improvement of internal processes.

In addition, consider whether your organisation could draw up a code of conduct that defines procedures for the effective implementation of the right to erasure. Read more about codes of conduct. 

Ensure that your organisation's personnel receives appropriate orientation and has the tools for handling requests for erasure. The processes must comply with the General Data Protection Regulation.

It may be a good idea to organise a test at the end of the orientation to ensure that your staff has understood the procedures. It is also good practice to arrange a practical exercise or simulation on the processing of an erasure request.

If possible, you can also create templates for responding to different types of erasure requests for your staff.

Evaluate the content of your organisation’s privacy statement(s) and, if necessary, supplement them with information on the right to erasure. Ensure that information on exercising the right to erasure is provided to the data subjects in a clear and easily understandable form.

When it is not possible to fully implement the right to erasure, the statements should describe the data to which the right applies.

Provide the data subject with the possibility to first submit a request to review their data so that they can confirm which personal data should be erased.

Also inform the data subjects of the consequences of erasing the data (e.g. impact on service use or the marketing prohibition).

Read more about informing data subjects 

Specify storage periods for all personal data in your organisation. For example, you can use a table that contains the personal data being processed, the legal basis for the processing and the corresponding storage periods.

Document the storage periods and grounds for processing personal data in the record of processing activities. Also describe the legal obligations on which the storage periods are based (e.g. data storage requirements provided for in the Accounting Act, the Working Time Act and anti-money laundering regulation).

Keep the storage periods up to date in the record of processing activities.

Improve the transparency of your organisation’s operations by also describing the storage periods of personal data in the privacy statement or, if this is not possible, the criteria by which they are determined.

Read more about storage limitation

Anonymisation refers to the processing of personal data in such a way that individuals can no longer be directly or indirectly identified from them (e.g. abstracting the data to a general level or statistical form). The right to erasure can be implemented by anonymising personal data. Effectively anonymised data are no longer personal data. 

It is essential for the controller to ensure that the anonymisation is carried out in a technically efficient manner so that the individual cannot be effectively identified from the data anymore. Identification must be irreversibly prevented so that other parties can no longer connect the data to the person either.

Pseudonymisation means processing personal data so that they can no longer be linked to a specific individual without additional information. Pseudonymised data can still be personal data, in which case data protection regulations must be followed when processing them. The question of whether the data still constitute personal data must always be approached separately from the perspective of each organisation processing the data. As a rule, the right to erasure of personal data cannot be implemented through pseudonymisation.

More information on pseudonymisation and anonymisation

CJEU Decision C-413/23 P on pseudonymisation, EDPS v. SRB, in the EUR-Lex service

Ensure that your compliance or legal departments are involved in the procedures and decision-making when the erasure of data is refused or the implementation of an erasure request is postponed.

In such situations, employ technical and organisational measures such as anonymisation of personal data, encryption or restriction of access to the data.

Follow established technical standards to ensure the secure and structured erasure and destruction of data.

Make sure that the personal data are erased and destroyed in a manner that can be demonstrated afterwards.

The effect of erasure on backups can be limited, for example, by replacing the data to be erased with random character strings.

Positive experiences have been gained from software that automatically extracts all personal data related to a particular data subject from the controller’s internal systems and transfers them to backups that employees cannot access. In such cases, it should nevertheless be ensured that the personal data is either erased or fully anonymised afterwards, so that they can no longer be connected to an individual.