The General Data Protection Regulation (GDPR) grants individuals several rights over their personal data, including the so-called right to be forgotten. This right allows individuals to request the erasure of their personal data when it is no longer necessary, when consent has been withdrawn, or when the processing is unlawful, among other circumstances.
For companies, receiving such a request should not be a cause for alarm, but it does require a prompt, orderly, and legally compliant response. Below, we outline the steps an organization should follow when a user exercises their right to be forgotten and how to act diligently to ensure regulatory compliance.
Step 1: Verify the Identity of the Requester
The first thing the company must do is confirm that the person making the request is indeed the data subject. This is done by requesting reasonable proof of identity, such as a copy of a national ID or an equivalent verification method.
Additionally, the exact date of receipt of the request must be recorded, as the GDPR establishes a maximum response time of one month. If additional information is needed to process the request properly, it should be requested as soon as possible without unjustified delay.
Step 2: Assess Whether the Right to Be Forgotten Applies
Although it is a recognized right under the GDPR, the right to be forgotten is not absolute. The company must evaluate whether the legal conditions for data erasure are met, including:
The data is no longer necessary for the purpose it was collected.
The data subject has withdrawn consent and there is no other legal basis for processing.
The data subject objects to the processing and there are no overriding legitimate interests.
The data has been processed unlawfully.
There is a legal obligation to erase the data.
The data was collected in relation to services offered to minors.
If the request is not applicable—for instance, if the company must retain certain data for legal or contractual reasons—it must formally notify the user, clearly and justifiably explaining the grounds for refusal.
Step 3: Erase the Data Effectively and Securely
If the request is valid, the company must proceed to erase the data effectively and securely. This involves:
Removing the information from all internal databases.
Reviewing backups and other systems to ensure the data is also properly deleted.
Informing data processors (e.g., external service providers or digital platforms) so they can delete the data on their end as well.
The entire process must be documented internally—not only to ensure GDPR compliance, but also to be able to demonstrate proper handling in case of an inspection by the Spanish Data Protection Agency (AEPD).
Step 4: Notify the User of the Resolution
Once the process is completed, the company must inform the data subject that their data has been deleted, providing a general summary of the actions taken. The communication should be clear and transparent, avoiding unnecessary technical jargon.
The user should also be informed of their right to file a complaint with the supervisory authority if they believe their request was not handled appropriately. In Spain, the relevant authority is the Agencia Española de Protección de Datos (AEPD).
Step 5: Review Policies and Strengthen Best Practices
Requests to exercise data rights offer companies an opportunity to review their personal data management processes. Key recommendations after receiving a right-to-be-forgotten request include:
Reviewing data collection forms and channels to ensure only necessary data is collected.
Establishing data retention policies and automatically deleting data that is no longer useful or lawful.
Training relevant staff (e.g., customer service, marketing, HR) on how to handle such requests.
Ensuring that all service providers comply with their duties as data processors.
Properly handling a right-to-be-forgotten request not only helps avoid sanctions, but also builds user trust and reinforces the company’s reputation as a privacy-conscious organization.
Frequently Asked Questions (FAQs)
Is my company always required to delete data when a user requests it?
No. The right to be forgotten is not absolute. If there is a legal basis for retaining the data—such as compliance with tax, contractual, or legal obligations—the company may deny the erasure. However, it must inform the user clearly and justify the decision.
What if the user’s data is stored in third-party tools like email marketing platforms?
The company remains the data controller and is responsible for ensuring the request is fulfilled. The request must be communicated to those service providers (e.g., Mailchimp, HubSpot, ActiveCampaign), and the company should ensure the data is erased from their systems as well. It’s advisable to have up-to-date contracts with these providers that include clauses addressing data subject rights.
What are the consequences of failing to respond to a right-to-be-forgotten request?
Failure to respond—or doing so incorrectly—can lead to serious consequences. The Spanish Data Protection Agency may impose significant fines, depending on the severity and the size of the company. Additionally, it can damage the company’s reputation and erode user trust.