Q: How quickly must I delete data subject data after receiving a “Right To Erasure” request?
A: GDPR says that a data controller must comply to an erasure request “without undue delay”. As you can see, that is a rather open-ended deadline.
However, while there is no set-in-stone timetable, the regulations are quite strict on what is permissable as a reason for delay. Technologiucal or budgetary shortcomings cannot be used to delay an erasure request.
The unauthorised destruction of personal data is a serious breach of the GDPR. Every erasure request must therefore be assessed on a case-by-case basis.
Data controllers must also assess whether they are blocked from deleting data for any other reason. Information which is processed as part of a legal obligation must not be destroyed, for example.