GDPR Article 17 right to erasure requires companies to delete data within 30 days when you withdraw consent, data becomes unnecessary, or processing is unlawful. Send formal requests explicitly referencing the regulation (not generic “delete my account”), escalate to Data Protection Authorities (ICO, CNIL, AEPD) when companies ignore you, and file compensation claims under Article 82 for damages from non-compliance. Verify deletion by requesting subject access exports afterward (should return empty), and use email aliases per service to track which companies have your data.
Understanding Your Rights Under Article 17
The GDPR right to erasure isn’t absolute, but it covers most situations where you’d reasonably want your data gone. You can request deletion when:
- You withdraw consent for data processing
- The data is no longer necessary for the original purpose
- You object to the processing and there’s no overriding legitimate interest
- The data was processed unlawfully
- The data must be erased to comply with a legal obligation
Companies cannot simply ignore these requests. They must respond within one month and actually delete your data, not just mark it as “inactive” in their systems.
Step 1: Identify What Data Companies Hold
Before sending erasure requests, understand what companies typically collect. For developers and technical users, this process involves thinking through data storage systems:
# Example: Common data categories to request deletion for
data_categories = [
"account_credentials",
"profile_information",
"usage_analytics",
"communication_logs",
"payment_information",
"device_identifiers",
"location_history",
"cookies_and_tracking_data",
"third_party_shares",
"backup_copies"
]
Every service you use likely stores some combination of these. Make a list of every service you’ve signed up for, then prioritize based on how much data you’ve shared and how sensitive it is.
Step 2: Send Formal Erasure Requests
Generic “delete my account” requests often get lost in customer support tickets. Use explicit language referencing GDPR Article 17:
# Example: curl command to send deletion request via API (if available)
curl -X DELETE "https://api.example.com/v1/user/data" \
-H "Authorization: Bearer YOUR_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"request_type": "erasure",
"regulation": "GDPR_Article_17",
"data_categories": "all"
}'
For services without API access, send emails using this structure:
Subject: GDPR Article 17 Erasure Request - [Your Email/Account ID]
Dear Data Protection Officer,
I am requesting the erasure of all personal data you hold about me under GDPR Article 17. This request applies to:
- All account data and profile information
- All usage and behavioral data
- All communications and logs
- All data shared with third parties
- All backups containing my personal data
Please confirm receipt of this request and provide a timeline for completion. If you require additional information to verify my identity, please request only what is strictly necessary.
If you do not respond within one month or refuse to delete my data, I will file a complaint with the relevant supervisory authority.
[Your Name] [Your Email] [Account ID if known]
Step 3: Escalate When Companies Ignore You
Many companies hope you’ll give up. GDPR gives you enforcement options:
Stage 1: Follow Up Document every interaction. After one month with no response, send a second email noting the deadline violation. Many companies have automated systems that prioritize follow-up tickets.
Stage 2: File a Complaint If a company refuses or ignores your request, file a complaint with the Data Protection Authority (DPA) in your country. The process is typically free and online:
- UK: ICO (Information Commissioner’s Office)
- Germany: BfDI or state-level authorities
- France: CNIL
- Spain: AEPD
When filing, include:
- The company’s name and contact
- Copies of your erasure requests
- Dates of all correspondence
- Any response (or lack thereof)
Stage 3: Demand Compensation Under GDPR Article 82, you can claim compensation for material and non-material damage caused by data protection violations. This includes distress from knowing your data remains in systems you explicitly asked to be deleted.
How to Verify Deletion
A company claims they deleted your data—how do you verify this? Technical users can check through multiple channels:
# Pseudocode for deletion verification checklist
def verify_deletion(company_name, email):
checks = []
# 1. Check if account login still works
checks.append(test_login(email, company_name))
# 2. Check data broker databases
checks.append(not_found_in_data_brokers(email))
# 3. Verify via subject access request
# Request all data they still hold - should return empty
data = request_subject_access(company_name, email)
checks.append(len(data) == 0)
# 4. Check third-party shares
# Ask specifically who they've shared data with
shares = request_third_party_shares(company_name, email)
checks.append(len(shares) == 0)
return all(checks)
Request a complete data export (your right under GDPR Article 15) after your erasure request. If they still return any personal data, the erasure was incomplete.
Special Cases and Limitations
Data That Cannot Be Fully Deleted:
- Financial records required for tax purposes (typically 7-10 years)
- Legal obligations to retain certain data
- Data essential for contract fulfillment
- Public interest or legal claims
However, companies must still delete data beyond what’s strictly necessary for these purposes.
Third-Party Data Sharing: Under Article 17, companies must inform third parties about your erasure request when technically feasible. Request a list of all third parties they’ve shared your data with, then send direct erasure requests to each.
Services That Claim Inability to Delete: Some companies claim data is “anonymized” and therefore exempt. Ask for proof of anonymization methodology. True anonymization under GDPR means the data cannot be re-identified even when combined with other data sources.
Practical Tips for Power Users
Use these strategies to minimize your data footprint and make future erasure requests easier:
-
Use email aliases: Create aliases like
service+eraser@gmail.comfor each service. This makes it easy to identify which company leaked or sold your data. -
Document everything: Keep records of what you signed up for, when, and what data you provided. This makes erasure requests faster and helps if you need to file complaints.
-
Check HaveIBeenPwned regularly: This service tracks data breaches. If your data appears in a breach, you know exactly which companies to target for erasure.
-
Use deletion reminders: Add calendar events for services you plan to delete. The longer data sits in a system, the more likely it’s been backed up, shared, or processed in ways that complicate deletion.
-
Automate where possible: Some privacy tools can send GDPR requests automatically. For developers, building automation for recurring erasure requests across services saves significant time.
Automating Erasure Requests at Scale
Developers can automate deletion workflows for managing multiple accounts:
# Automated GDPR erasure request system
import requests
import json
from datetime import datetime
from typing import List, Dict
import hmac
import hashlib
class AutomatedErasureRequester:
"""Send GDPR Article 17 requests to multiple services"""
def __init__(self, email: str, log_file: str = "erasure_log.jsonl"):
self.email = email
self.log_file = log_file
self.services = self._load_service_catalog()
def _load_service_catalog(self) -> Dict:
"""Load list of services with their deletion endpoints"""
return {
'google': {
'endpoint': 'https://www.google.com/takeout/',
'method': 'web_form',
'dpo_email': 'privacy-support@google.com'
},
'meta': {
'endpoint': 'https://www.facebook.com/privacy/center/',
'method': 'web_form',
'dpo_email': 'dpo@fb.com'
},
'amazon': {
'endpoint': 'https://www.amazon.com/gp/css/right-of-erasure',
'method': 'web_form',
'dpo_email': 'dataprotection@amazon.com'
}
}
def send_erasure_request(self, service: str) -> Dict:
"""Send formal GDPR Article 17 request"""
if service not in self.services:
return {'status': 'error', 'message': f'Service {service} not supported'}
request_body = {
'request_type': 'erasure',
'article': '17',
'data_subject_email': self.email,
'timestamp': datetime.utcnow().isoformat(),
'request_signature': self._sign_request(self.email, service)
}
try:
response = requests.post(
f"{self.services[service]['endpoint']}/data-rights/delete",
json=request_body,
timeout=10
)
result = {
'service': service,
'status': 'sent',
'response_code': response.status_code,
'timestamp': datetime.utcnow().isoformat(),
'deadline': (datetime.utcnow() + timedelta(days=30)).isoformat(),
'tracking_id': response.json().get('request_id', 'N/A')
}
except requests.exceptions.RequestException as e:
result = {
'service': service,
'status': 'failed',
'error': str(e),
'timestamp': datetime.utcnow().isoformat()
}
self._log_request(result)
return result
def _sign_request(self, email: str, service: str) -> str:
"""Create signature for non-repudiation"""
message = f"{email}:{service}:{datetime.utcnow().isoformat()}"
signature = hmac.new(
key=b"erasure_secret",
msg=message.encode(),
digestmod=hashlib.sha256
).hexdigest()
return signature
def track_compliance(self) -> List[Dict]:
"""Track which services complied with deletion requests"""
with open(self.log_file, 'r') as f:
requests = [json.loads(line) for line in f]
compliance = []
for req in requests:
if req['status'] == 'sent':
deadline = datetime.fromisoformat(req['deadline'])
days_remaining = (deadline - datetime.utcnow()).days
if days_remaining < 0:
status = "OVERDUE - File DPA complaint"
elif days_remaining < 5:
status = "DUE SOON - Follow up"
else:
status = "IN PROGRESS"
compliance.append({
'service': req['service'],
'request_id': req.get('tracking_id'),
'sent_date': req['timestamp'],
'deadline': req['deadline'],
'status': status
})
return compliance
def _log_request(self, result: Dict):
"""Log request for audit trail"""
with open(self.log_file, 'a') as f:
f.write(json.dumps(result) + '\n')
# Usage
requester = AutomatedErasureRequester('user@example.com')
# Send requests to multiple services
services = ['google', 'meta', 'amazon']
for service in services:
response = requester.send_erasure_request(service)
print(f"{service}: {response['status']}")
# Track compliance deadlines
compliance_status = requester.track_compliance()
for item in compliance_status:
print(f"{item['service']}: {item['status']}")
Verifying Deletion Beyond Account Removal
Companies sometimes hide data rather than delete it. Verify actual deletion:
#!/bin/bash
# Deletion verification checklist
EMAIL="user@example.com"
SERVICE="example-company.com"
echo "=== GDPR Deletion Verification ==="
# 1. Confirm account is gone
echo "1. Testing account access..."
if curl -s "$SERVICE/login" | grep -q "user not found"; then
echo " ✓ Account removed from active database"
else
echo " ✗ Account still exists"
fi
# 2. Check for data in data brokers
echo "2. Checking data broker databases..."
services=(
"haveibeenpwned.com"
"breachdirectory.org"
"intelx.io"
)
for broker in "${services[@]}"; do
if curl -s "$broker/search?q=$EMAIL" | grep -q "results"; then
echo " ⚠ Data found in $broker - request removal"
fi
done
# 3. Request complete data export
echo "3. Requesting Subject Access export..."
# Use the SAR (Subject Access Request) API endpoint
curl -X POST "$SERVICE/api/data-rights/export" \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d "{\"request_type\": \"complete_export\"}" \
> export.json
if [ ! -s export.json ] || grep -q "no data" export.json; then
echo " ✓ No personal data returned"
else
echo " ✗ Data still exists in systems"
echo " File DPA complaint for non-compliance"
fi
# 4. Check for cached copies
echo "4. Checking for cached data..."
if curl -s "https://web.archive.org/web/*/example.com/profile/$EMAIL" | grep -q "404"; then
echo " ✓ Archive.org doesn't have cached profile"
else
echo " ⚠ Internet Archive has cached copy"
echo " Submit removal request to archive.org"
fi
echo "=== Verification Complete ==="
Escalation Decision Tree
When companies refuse deletion, follow this escalation path:
Deletion Request Sent
↓
[30 days pass]
├─→ NO RESPONSE: Send follow-up (Email #2)
│ ↓
│ [5 days more]
│ ├─→ NO RESPONSE: File DPA Complaint (→ Complaint)
│ └─→ PARTIAL RESPONSE: Request clarification
│
├─→ REFUSAL: Review refusal justification
│ ├─→ Legitimate refusal (legal obligation): Accept
│ └─→ Illegitimate refusal: File DPA Complaint
│
└─→ COMPLIANCE: Verify deletion
├─→ VERIFIED: Complete
└─→ NOT VERIFIED: File DPA Complaint + Article 82 claim
DPA Complaint Process:
→ Submit to local DPA (ICO, CNIL, AEPD, etc.)
→ Investigation (can take 6-12 months)
→ Decision + potential fines (€20M or 4% revenue)
→ User compensation under Article 82
Article 82 Compensation Claim (parallel to DPA):
→ Hire attorney to sue company
→ Claim non-material damage (distress, inconvenience)
→ European courts increasingly award €500-2000 per violation
Related Reading
Related Articles
- GDPR Article 17 Erasure Implementation Code
- GDPR Legitimate Interest: What Companies Can Do With.
- Challenge Automated Credit Decision Using GDPR Right to
- How To Exercise Right To Restrict Processing Under Gdpr Limi
- Implement Data Portability Feature For Customers Gdpr Right
Built by theluckystrike — More at zovo.one