How long do I have to erase data? | GDPR FAQ

Q: How quickly must I delete data subject data after receiving a “Right To Erasure” request?

A: GDPR says that a data controller must comply to an erasure request “without undue delay”. As you can see, that is a rather open-ended deadline.

However, while there is no set-in-stone timetable, the regulations are quite strict on what is permissible as a reason for delay. Technological or budgetary shortcomings cannot be used to delay an erasure request.

References:

  • Article 17, GDPR
  • Recital 65, GDPR
  • Recital 66, GDPR
  • Additional Information:

    The unauthorised destruction of personal data is a serious breach of the GDPR. Every erasure request must therefore be assessed on a case-by-case basis.

    Data controllers must also assess whether they are blocked from deleting data for any other reason. Information which is processed as part of a legal obligation must not be destroyed, for example.