Right to erasure / deletion request process

Description

A working right-to-erasure process deletes a data subject's personal data on request, across primary stores, backups, search indexes, replicas, and processor systems, within a fixed regulatory window. Three layers have to line up. The intake verifies the request and identifies the subject across product accounts (a single human may sit behind multiple emails, customer-service tickets, and historical purchase records, and the erasure obligation runs against the human, not the email). The deletion fan-out reaches every store the data has propagated to (most products discover at this point that the data inventory was incomplete; the project plan that surfaces a complete inventory is usually a multi-week effort the first time it runs). The audit log documents what was deleted, when, and from where, in a form the regulator can later confirm. The regulatory floors converge but not exactly. GDPR Article 17 sets a one-month response window, extendable by two months in narrow circumstances with notice to the subject. CCPA §1798.105 runs 45 days, extendable by 45 with notice. LGPD Article 18 § VI carries a 15-day window for the request response, with the deletion itself running on the operator's documented retention schedule. Operators commonly consolidate to the strictest applicable window per subject rather than running parallel timers per regime. The processor passthrough is its own piece: an erasure request to the controller propagates to each processor under the Article 28 / equivalent processor agreements, and the controller carries the burden of confirming the processor actually executed. Backups are the recurring sticking point. Most regulators have accepted a documented policy that says backups are deleted on the normal rotation schedule rather than expecting forensic deletion from cold storage, but the policy has to actually exist, the rotation has to actually happen, and a restored backup has to re-execute the erasure on the restored data before it returns to live access. The hardest part operationally is usually not the primary delete; it is finding everywhere the data went after collection. Evidence formats that hold up include the deletion runbook keyed to the data inventory, per-request deletion logs with store-by-store completion timestamps, processor-passthrough confirmation receipts, and the backup-rotation policy showing how cold storage ages off.

Required by (4 regulations)

• GDPR

  Article 17 — right to erasure ("right to be forgotten").

  Regulation (EU) 2016/679 of the European Parliament and of the Council

• CCPA/CPRA

  CCPA §1798.105 — right to deletion.

  Cal. Civ. Code §§1798.100-1798.199.100; 11 CCR §7000-7102

• LGPD

  Article 18 § VI — deletion of unnecessary or excessive data.

  Lei nº 13.709, de 14 de agosto de 2018 (as amended by Lei nº 13.853/2019 and Emenda Constitucional nº 115/2022)

• Washington MHMDA

  Implements MHMDA's right to delete consumer health data.

  Washington My Health My Data Act (HB 1155, 2023)

  Source →

Fulfilled by (3)

• transcend · full · medium effort · $$
• onetrust · partial · medium effort · $$
• In-house build · high effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

• deletion runbook
• deletion logs
• processor passthrough confirmations
• backup-rotation policy