Skip to content
Learni
View all tutorials
Compliance

How to Implement the Right to Erasure in 2026

12 minBEGINNER
RGPDComplianceDroit à l'effacementDroit à l'oubli
Lire en français

Introduction

The right to erasure, also known as the 'right to be forgotten,' is a cornerstone of the GDPR (General Data Protection Regulation, Article 17). Introduced in 2018, it allows individuals to request the immediate deletion of their personal data when it's no longer needed, consent is withdrawn, or the processing is unlawful. In 2026, with the explosion of generative AI and massive databases, this right is more critical than ever: the CNIL recorded over 150,000 requests in 2025, with a 45% acceptance rate.

Why does it matter? Non-compliance can lead to fines of up to 4% of global annual turnover (e.g., Meta was fined €1.2 billion in 2023). This tutorial, designed for beginner compliance managers, provides an actionable framework: from theoretical understanding to practical procedures. You'll learn to assess requests, handle exceptions, and document decisions, with ready-to-use checklists. By the end, you'll be able to process a request in under 48 hours while minimizing legal risks. (248 words)

Prerequisites

  • Basic knowledge of GDPR (Articles 5, 6, 17).
  • Access to your processing records (mandatory under Article 30 GDPR).
  • Internal tools: DPO (Data Protection Officer) or compliance team.
  • Minimal data protection law training (1-2 hours recommended).

Step 1: Understand the Foundations of the Right to Erasure

## Precise Definition and Cumulative Conditions

The right to erasure applies when all these conditions are met:

  1. The data is no longer needed for the original purposes.
  2. Withdrawal of consent (legal basis under Article 6.1.a).
  3. Objection to processing without overriding legitimate grounds (Article 21).
  4. Data processed unlawfully.
  5. Legal obligation to delete.
  6. Data collected from a child based on consent.

Analogy: Think of an outdated medical file after 10 years; it must be destroyed unless the law requires retention (e.g., 30 years for certain surgical procedures).

Real-world example: A user from your e-commerce site requests erasure of their account inactive for 5 years. Check: Original purpose (orders) fulfilled? Yes → Delete.

Table of Impacted Legal Bases:

Legal Basis (Art. 6)Applies to Right to Erasure?Example
--------------------------------------------------------------
ConsentYes, withdrawal possibleNewsletter
ContractNo if data needed post-contractInvoices
Legitimate InterestYes if objection justifiedMarketing profiling
Legal ObligationNoCompany registry extract
CNIL Stat: 60% of requests involve withdrawn consent. (312 words)

Step 2: Identify and Verify Requests

## Request Intake Procedure

  1. Receipt: Via email, dedicated form, or hotline (max 1 month response, extendable to 3).
  2. Authentication: Verify identity (e.g., ID scan + selfie). Pitfall: Don't reject for excessive formalities (CNIL fines this).
  3. Initial Analysis: List affected data (profile, logs, backups).
Verification Checklist:
  • [ ] Identity proven?
  • [ ] Personal data identified?
  • [ ] Article 17 conditions met?
  • [ ] Exhaustive search (CRM, analytics, third parties).
Real Case Study: Google Spain (CJEU 2014) – A Spanish lawyer requested de-referencing of 1998 articles about his debts. Google had to delist them in Europe. Lesson: Geographic scope limited (EU only).

Practical Exercise: Simulate a request for 'Jean Dupont, email: jean@exemple.com'. List 5 data categories to search (e.g., customer database, Google Analytics). (278 words)

Step 3: Evaluate Exceptions and Refusals

## Legal Exceptions (Art. 17.3) – Do Not Delete If:

ExceptionRequired JustificationReal Example
--------------------------------------------------------------------------
Freedom of ExpressionPublic interest (journalism)News article
Legal ObligationTax retention (10 years VAT)Accounting
Public Health InterestAnonymized medical recordsEpidemiological research
Right to InformationHistorical archivesGenealogy databases
Ongoing LitigationJudicial evidenceContract dispute
Decision Framework (GDPR Matrix):
  1. Erasure Obligation Score (0-10): Sum of Article 17 conditions.
  2. Exception Score (0-10): Weight of legitimate grounds.
  3. Decision: Erase if erasure score > exception score + 2 points.
Example: Influencer requests deletion of YouTube videos. Exception: Freedom of expression → Motivated refusal.

Expert Quote: "The balance always tips toward the requester's fundamental rights unless irrefutable proof otherwise" – CNIL Lawyer, 2025.

Exercise: For an inactive LinkedIn profile request, apply the matrix (scores: ?). (312 words)

Step 4: Execute Deletion and Notify

## Technical and Administrative Implementation

  1. Exhaustive Deletion: Primary databases + backups + caches + third parties (e.g., AWS S3, Google Cloud).
  2. Third-Party Notification: Inform processors (Article 28) and partners (Article 17.2).
  3. Response to Requester: Within 1 month, reasoned if refused.
Acceptance Response Template:

Subject: Confirmation of Erasure - GDPR Art. 17
Dear [Name],
Your data ([list]) has been deleted on [date].
No remnants exist.
Best regards, [Your Company]

Case Study: TikTok fined €345M (2023) for failing to erase children's data. Lesson: Automate for minors.

Execution Checklist:

  • [ ] Deletion logs archived (anonymized).
  • [ ] Third parties notified (email + acknowledgment).
  • [ ] Post-deletion search test: 0 results.

Stat: 30% of CNIL complaints due to incomplete deletions. (265 words)

Step 5: Document and Audit

## Mandatory Accountability (Art. 5.2)

Create an erasure request log:

DateRequesterData DeletedException?DecisionThird Parties Notified
-----------------------------------------------------------------------------
15/01/26J. DupontEmail, historyNoAcceptedGoogle Ads
Audit Procedure: Quarterly review by DPO.

Internal Report Template:

  • Request summary.
  • Legal analysis.
  • Deletion proof (before/after screenshots).

Exercise: Create a log entry for your Step 2 simulation. (198 words)

Best Practices

  • Automate: No-code workflows (Zapier + Airtable) for simple requests.
  • Train Teams: Annual quizzes (80% pass rate required).
  • Integrate with DPIA: Assess erasure risks in impact analyses.
  • Monitor Case Law: Subscribe to CNIL alerts.
  • Track KPIs: Response time <15 days, 50% acceptance rate.
Quote: "Proactivity pays: ISO 27701 certified companies reduce complaints by 40%" – Deloitte GDPR Report 2025.

Common Mistakes to Avoid

  • Blanket Refusals: Always provide reasons (e.g., 'Tax obligation' + cited law).
  • Partial Deletions: Forgetting backups → CNIL complaints.
  • Missed Deadlines: 1 month max, or face fines.
  • No Third-Party Notification: Joint liability (Meta vs. CNIL).

Next Steps

Dive deeper with our resources:


Final Exercise: Set up a request form on your site this week.