Irish businesses, SMEs, and enterprises processing personal data of customers, employees, or visitors, especially those receiving deletion requests or concerned about GDPR fines from the DPC.
Readers will gain practical guidance on complying with erasure requests, recognizing exemptions, managing challenges like backups and partial deletions, and implementing workflows to ensure regulatory compliance and avoid complaints.
Key Takeaways
The right to erasure under GDPR Article 17 requires deleting personal data when specified grounds apply, such as withdrawn consent or no longer necessary.
Exceptions allow refusal for legal obligations, public interest research, legal claims, and Irish-specific rules like tax records.
Respond to requests within one month, notifying third parties and handling backups appropriately.
Build a structured process: intake, triage, data mapping, deletion, notifications, and logging.
EDPB 2025 enforcement and thousands of DPC complaints highlight priority on erasure compliance.
Laura Ryan is a practising Barrister at the Bar of Ireland. She graduated from the Honourable Society of King’s Inns in 2024, having previously qualified and practised as a Chartered Accountant in a big four accounting firm.
The right to erasure, set out in Article 17 of the GDPR, allows individuals to request deletion of their personal data by a data controller. It applies to anyone whose data is processed and can be requested informally via email, phone, or in person. It is broader than the 'right to be forgotten' from search engines.
When must you comply with an erasure request?
You must comply without undue delay if the data is no longer necessary for its purpose, consent is withdrawn with no other basis, objection to processing with no overriding grounds, direct marketing objection, unlawful processing, legal obligation requires erasure, or data from child for info society services.
When can you refuse an erasure request?
You can refuse if data is needed for freedom of expression, legal obligations like tax records, public health, archiving/research in public interest, or legal claims. Irish Data Protection Act adds exemptions for crime prevention and tax assessment. Always document reasons.
What is the response timeline for an erasure request?
Respond within one month, extendable by two months for complex cases with notification. Verify identity proportionately, then identify/delete data locations, notify third parties, and confirm in writing.
How should businesses handle backups in erasure requests?
Deleting from live systems does not remove from backups. Document approach like flagging for next rotation. Anonymisation can substitute if truly anonymous, excluding data from GDPR scope. Partial erasure may retain required data like tax records.
