- GDPR Article 17 gives individuals the right to request deletion of personal data in defined circumstances
- The right is not absolute — six specific exemptions allow you to refuse or limit erasure
- AML-obliged entities cannot erase KYC records during the mandatory retention period
- Erasure applies to all copies — including backups and data held by processors
The right to erasure — sometimes called the right to be forgotten — gives individuals the right to have their personal data deleted without undue delay in certain circumstances. Article 17 of GDPR sets out both the right and its limits. Understanding both is essential for any regulated business that receives erasure requests from clients, former clients, employees, or prospects.
Related HubSecure buying path
Compliance CRM guidecompliance CRM for growing companiesCRM moduleHubSpot comparisoncompliance CRM guideGuide Librarybook a workflow demo
Related security, privacy and governance resources
Continue with HubSecure security and trust center, data processing agreement, subprocessors, compliance workflows, governed AI operator.
Related use case
This guide belongs to the Workspace Alternatives and Tool Consolidation Guides cluster. Continue with the product hub for workspace alternatives and tool consolidation.
When the right to erasure applies
An individual can request erasure when one of the following grounds applies:
- The personal data is no longer necessary for the purpose it was collected for
- The individual withdraws consent (and there is no other lawful basis for processing)
- The individual objects to processing under Article 21 and there are no overriding legitimate grounds
- The personal data was unlawfully processed
- Erasure is required for compliance with a legal obligation
- The data was collected in relation to the offer of information society services to a child
When you can refuse erasure
The right to erasure does not apply when processing is necessary for one of the following purposes (Article 17(3)):
- Exercising the right of freedom of expression and information
- Compliance with a legal obligation — for example, AML/KYC retention requirements, tax records, or employment law requirements
- Public health purposes (in the public interest)
- Archiving in the public interest, scientific, historical, or statistical purposes — where erasure would seriously impair those purposes
- Establishment, exercise, or defence of legal claims — if you need the data for ongoing or anticipated litigation
For regulated businesses: The most commonly applicable exemption is the legal obligation ground. AML-obliged entities must retain KYC records for five years post-relationship. A client asking you to delete their KYC file during that period can be refused on this basis — but you must tell them this and explain which legal obligation applies.
The 30-day response deadline
Like DSARs, erasure requests must be responded to within 30 calendar days of receipt. You must either confirm the erasure has been carried out, explain why you are refusing (including the specific exemption), or request an extension (maximum two months, with notice within the first 30 days).
What erasure actually means in practice
Erasure does not mean simply deleting the primary record. It means removing the individual's personal data from all locations where it exists:
- Your primary systems (CRM, case management, HR)
- Email archives and correspondence
- Backup copies (backups should be treated separately — an immediate wipe of all backups may not be proportionate, but the data must be deleted when the backup is next restored or overwritten)
- Processors — you must instruct any data processors who hold the data to erase it
- Third-party recipients — where data was disclosed to third parties, you must take reasonable steps to inform them of the erasure request (Article 17(2))
Documenting erasure decisions
Whether you comply or refuse, document the decision. Record: who made the request, when, what data was affected, what decision was made, the grounds for that decision, and what action was taken. This documentation is essential if the individual complains to a supervisory authority.
When you refuse
Your refusal notice must: inform the individual of the specific grounds for refusal, advise them of their right to complain to a supervisory authority, and advise them of their right to seek judicial remedy. Be specific about which exemption applies — "we need it for legal reasons" is not sufficient.
Does erasure apply to paper records as well as digital records?
Yes. The right to erasure applies to all personal data, regardless of whether it is held digitally or in physical form. Paper records containing the individual's personal data must also be destroyed — following your secure disposal procedures.
What if erasing the data would make other records incomplete or inaccurate?
This is a genuine tension. Where complete erasure would distort other records (e.g., removing a party from a transaction record that must be maintained for tax purposes), consider whether restriction of processing rather than full erasure is more appropriate. Restriction means the data is stored but not used — and may satisfy the individual's concern without requiring destruction of legally required records.
Handle erasure requests with confidence
HubSecure's Vault and CRM give you a complete view of all data held about each client — making erasure audits, redaction, and deletion fast and fully documented.
Book a demoReviewed for regulated teams
Prepared by the HubSecure editorial team for operators, compliance leaders and IT reviewers evaluating secure client operations software.