GDPR Right to Erasure: How to Respond When a Client Requests It
A client requests deletion of all their data. You have 1 month. It's not as simple as clicking 'Delete account'. Here's exactly what the law requires — and what it allows you to refuse.
The Right to Erasure: What Art. 17 GDPR Says
Article 17 of GDPR establishes the 'right to erasure', often called the 'right to be forgotten'. It applies in 5 cases:
When Can You Legally Refuse?
Important: if you refuse, you must inform the person of the reason for refusal and their right to contact CNIL or a court. Never refuse without explanation.
Do your SaaS tools allow complete erasure?
Some tools don't allow granular deletion. Check their GDPR compliance with RGPDScan.
Recommended 5-Step Procedure
Request ID if doubt about identity. Don't ask for ID systematically — disproportionate. For client accounts, account login is generally sufficient.
Main database, CRM, email tool, server logs, backups, CSV exports, Google Analytics (segment purge), third-party tools. Every system holding the data must be included.
Complete deletion OR true anonymization (impossible to re-identify). Pseudonymization is not enough. For mandatory accounting data: anonymize personal data, keep amounts.
If you shared data with third parties (sub-processors, partners), you must ask them to erase as well. Art. 19 GDPR.
Confirm in writing the erasure performed (list of purged systems, date). Keep this document for 5 years. If partial refusal: explain the legal reason and retained data.