Art. 17 GDPR 8 min read·

GDPR Right to Erasure: How to Respond When a Client Requests It

A client requests deletion of all their data. You have 1 month. It's not as simple as clicking 'Delete account'. Here's exactly what the law requires — and what it allows you to refuse.

The Right to Erasure: What Art. 17 GDPR Says

Article 17 of GDPR establishes the 'right to erasure', often called the 'right to be forgotten'. It applies in 5 cases:

Data is no longer necessary for the purposes for which it was collected
The person withdraws consent and there is no other legal basis
The person objects to processing and there is no overriding legitimate reason
The data has been unlawfully processed
Erasure is required to comply with a legal obligation

When Can You Legally Refuse?

Legal retention obligation (accounting 10 years, contracts 5 years, pay slips 5 years)
Exercise of freedom of expression and information (press, research, public interest)
Reasons of public interest in the area of public health
Archiving, scientific or historical research purposes
Establishment, exercise or defense of legal claims

Important: if you refuse, you must inform the person of the reason for refusal and their right to contact CNIL or a court. Never refuse without explanation.

Do your SaaS tools allow complete erasure?

Some tools don't allow granular deletion. Check their GDPR compliance with RGPDScan.

Recommended 5-Step Procedure

1
Verify requester identity

Request ID if doubt about identity. Don't ask for ID systematically — disproportionate. For client accounts, account login is generally sufficient.

2
Inventory all affected systems

Main database, CRM, email tool, server logs, backups, CSV exports, Google Analytics (segment purge), third-party tools. Every system holding the data must be included.

3
Erase or anonymize

Complete deletion OR true anonymization (impossible to re-identify). Pseudonymization is not enough. For mandatory accounting data: anonymize personal data, keep amounts.

4
Inform sub-processors

If you shared data with third parties (sub-processors, partners), you must ask them to erase as well. Art. 19 GDPR.

5
Respond and document

Confirm in writing the erasure performed (list of purged systems, date). Keep this document for 5 years. If partial refusal: explain the legal reason and retained data.

Going Further

Frequently Asked Questions

Can a client request the erasure of all their data?
They can request erasure, but this right is not absolute. You can refuse if you have a legal obligation to retain (accounting: 10 years, contracts: 5 years), if data is necessary for the defense of legal rights, or for public interest purposes. Inform the client of the reason for refusal and their right to appeal to CNIL.
Does deleting the client account suffice for right to erasure?
No. Deleting the front-end account doesn't suffice if data persists in the database, backups, logs, export files, CRM, email tool, etc. Erasure must be complete or justified by a legal obligation.
Must data in backups be erased?
In principle yes, but CNIL admits a practical tolerance: if immediate deletion in backups is technically very complex (magnetic tapes, cold archives), you can indicate that backups will be purged at their next rotation, and guarantee they won't be restored to use this data.
What deadline for responding to an erasure request?
1 month from receipt of the request. This deadline can be extended by 2 additional months if the request is complex or numerous, provided you inform the requester of the extension and its reason within the initial 1-month deadline.
Can an erasure request from a former employee be refused?
Certain data must be retained: pay slips (5 years), HR documents related to payroll (10 accounting years), evidence in case of employment dispute (5 years). Outside these obligations, erasure also applies to former employee data.
How to prove that erasure was properly carried out?
Keep a request log: date received, nature of request, actions taken (list of purged systems), response date. Keep this log for 5 years. In case of CNIL inspection or dispute, it's your main proof.

Audit your complete GDPR compliance

Cookies, trackers, transfers: RGPDScan detects risks in 60 seconds. Free.