Handling Right-to-Erasure Requests: DSAR Response Guide
How to process GDPR right-to-erasure requests step by step. Verification, deletion scope, third-party notification, response templates, and timeline.
Last updated: 2026-02-08
Someone Wants Their Data Deleted
A right-to-erasure request under GDPR Article 17 is a DSAR asking you to destroy personal data rather than disclose it. This guide covers the operational steps for processing these requests correctly and on time.
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
For the basics on DSARs generally, see our DSAR overview and response guide.
When Erasure Applies (Quick Reference)
Article 17(1) lists six grounds. At least one must apply:
- Data no longer necessary for its original purpose
- Consent withdrawn and no other legal basis exists
- Individual objects to processing (absolute for direct marketing)
- Unlawful processing — no valid legal basis ever existed
- Legal obligation requires deletion (e.g., retention period expired)
- Children's data collected via online services
If none of these grounds apply, you can refuse — but you must explain why within the one-month deadline.
When You Can Refuse
Article 17(3) exceptions override the erasure right:
- Legal obligation to retain — tax records, regulatory requirements, statutory minimums
- Legal claims — data needed for establishment, exercise, or defense of claims
- Freedom of expression — journalism, academic, artistic purposes
- Public health or archiving/research in the public interest
If an exception covers only some of the data, delete what you can and explain what you retained and why.
Step-by-Step: Processing the Request
1. Log It Immediately
Record the date received, requester identity, what they want deleted, and how the request arrived. The one-month clock starts now.
2. Verify Identity
Proportionate verification — match the effort to the risk:
- Authenticated user (logged in): Authentication is sufficient
- Email from known address: Match to account on file
- Sensitive data or uncertain identity: Require additional verification (two data points minimum)
Do not demand a passport to delete a newsletter subscription. See our identity verification guide for detail.
3. Check for Exceptions
Review whether any Article 17(3) exception applies. Common ones for small businesses:
- Tax records must be retained (typically 6-7 years in EU member states)
- Data relevant to pending or threatened legal claims
- Contractual obligations still in force
Document which exception applies and to which specific data.
4. Execute Deletion
Delete from all systems:
- Production databases and applications
- CRM and marketing tools (Mailchimp, HubSpot, etc.)
- Email (search for their name/address)
- Cloud storage and file shares
- Customer support systems
- Analytics platforms (where individual data is identifiable)
- Spreadsheets and local copies
Backups: You are not required to selectively delete from encrypted backups if technically infeasible. Document your backup retention cycle and ensure the data is not restored.
5. Notify Third Parties
Under Article 17(2), if you shared the data or made it public, take "reasonable steps" to inform recipients of the erasure request. Under Article 19, notify any third parties you disclosed the data to.
Keep a record of who you notified.
6. Respond Within One Month
Confirm in writing:
- What data was deleted and from which systems
- Which third parties were notified
- Any data retained, with the specific exception cited
- Their right to lodge a complaint with a supervisory authority (if you refused anything)
For complex requests, you can extend by two months — but you must tell the requester within the first month and explain why.
Combined Access + Erasure Requests
"Tell me what data you have, then delete it" is common. Handle as two sequential steps:
- Fulfill the access request — provide their data
- Then process the erasure — delete it
- Both share the same one-month deadline
Do not delete first and then say you have nothing to disclose.
Timeline Summary
| Scenario | Deadline | Action |
|---|---|---|
| Standard request | 1 month | Delete and confirm |
| Complex request | Up to 3 months | Notify of extension within 1 month |
| Refusal | 1 month | Explain reason and cite exception |
| Combined access + erasure | 1 month (shared) | Provide data, then delete |
Common Mistakes
- Deleting without verifying identity — deleting the wrong person's data creates a new problem
- Ignoring third-party notification — failing to notify recipients is a separate violation
- Treating backups as an exception — they are a technical feasibility consideration, not an exemption
- Over-deleting — if only some data falls under an exception, delete what you must and retain what you are legally required to keep
- Missing the deadline — even if you plan to refuse, you must respond within one month
Related Guides
- How to Respond to a DSAR — full step-by-step process
- DSAR Identity Verification — verification methods and proportionality
- DSAR Response Deadlines — deadlines across all jurisdictions
- Deletion Request Differences: CCPA vs GDPR — how US deletion requests differ