Q: How quickly must I delete data subject data after receiving a “Right To Erasure” request?

A: GDPR says that a data controller must comply to an erasure request “without undue delay”. As you can see, that is a rather open-ended deadline. 

However, while there is no set-in-stone timetable, the regulations are quite strict on what is permissable as a reason for delay. Technologiucal or budgetary shortcomings cannot be used to delay an erasure request.

References:

Article 17, GDPR
Recital 65, GDPR
Recital 66, GDPR

Additional Information:

The unauthorised destruction of personal data is a serious breach of the GDPR. Every erasure request must therefore be assessed on a case-by-case basis.

Data controllers must also assess whether they are blocked from deleting data for any other reason. Information which is processed as part of a legal obligation must not be destroyed, for example.

Did this answer your question?