Data Deletion Concept for GDPR-Compliant Data Erasure

Espresso Data Privacy’s data deletion concept enables GDPR-compliant orchestration of personal data erasure, aligning with the right to be forgotten under GDPR Article 5 and 17. It provides a technical framework for automating complex deletion processes across enterprise systems.

  1. Home
  2. Concept

General data protection

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a key piece of EU legislation on data protection and privacy, applicable across the European Union (EU) and the European Economic Area (EEA). It reinforces fundamental rights under Article 8(1) of the EU Charter of Fundamental Rights by granting individuals stronger control over their personal data. The GDPR aims to harmonize data protection laws, ensure lawful and purpose-limited processing, and create a consistent regulatory environment for international organizations. Replacing the former Data Protection Directive 95/46/EC, the GDPR applies to any organization—regardless of location—that processes personal data of individuals within the EEA.

Enforcement

  • The GDPR was adopted on 14 April 2016 and became enforceable on 25 May 2018. As a regulation (not a directive), it is directly binding across the EU and EEA. While uniformly applicable, certain implementation details may be shaped by national legislation in member states.
  • The GDPR has since become a global benchmark for data protection. Similar laws have been adopted in:
    • 🇬🇧 United Kingdom – UK GDPR
    • 🇨🇭 Switzerland – Federal Act on Data Protection (FADP / DSG), effective 1 September 2023
    • 🇧🇷 Brazil – Lei Geral de Proteção de Dados (LGPD)
    • 🇺🇸 California – California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
    • 🇸🇦 Saudi Arabia – Personal Data Protection Law (PDPL)
    • 🇨🇳 China – Personal Information Protection Law (PIPL)
    • 🇯🇵 Japan – Act on the Protection of Personal Information (APPI)
    • 🇰🇷 South Korea – Personal Information Protection Act (PIPA)
    • 🇿🇦 South Africa – Protection of Personal Information Act (POPIA)
    • 🇹🇷 Turkey – Law on the Protection of Personal Data (KVKK)
    These laws share core GDPR principles such as purpose limitation, data minimization, legal basis for processing, and individual data rights – often including obligations for automated or timely erasure.

The right to erasure and automated deletion obligations

GDPR: Article 17 ("Right to be forgotten") and Article 5(1)(e) ("Storage limitation")

The commonly known "right to be forgotten" was formalized as the "right to erasure" in Article 17 of the GDPR, adopted by the European Parliament in March 2014. It gives data subjects the right to request the deletion of their personal data under certain conditions - such as unlawful processing or overriding legitimate interests - typically within 30 days of the request.

However, the GDPR also introduces a broader obligation to delete personal data automatically when it is no longer required for its original purpose - as outlined in Article 17(1)(a) and reinforced by the storage limitation principle in Article 5(1)(e). The Swiss Federal Act on Data Protection (FADP, Art. 6(3)) contains an equivalent requirement, mandating that personal data must not be retained longer than necessary for its intended processing purpose.

More information

Business object dependencies

Your company uses multiple software applications to store and manage diverse data. The data in these applications is in turn related to each other. Personal data must be able to be completely deleted according to the above information on GDPR and Article 5 and 17. In order to ensure that your company survives an audit based on Article 5 and 17 of GDPR, the following main points need to be clarified:

  • Which types of business objects contain personal data and how to group them?
  • After which retention period they have to be deleted according to the right to be forgotten?
  • Is there knowledge about the dependencies of this business object types in the company?

The knowledge of these main points is of crucial relevance for the deletion of personal data in your company, since the sequence of deletions within dependent business object types is based on them. The following figure illustrates the situation.

Business object dependencies

Deletion process automation

If the number of business object types to be deleted exceeds a value that is no longer manageable for manual deletion, the company will need to automate deletion. This is also the case especially if the dependencies between the business object types are complex and different applications have to be considered. Manual deletion errors can be avoided and a deletion evidence for audit reasons will be created.

A then required deletion automation system that orchestrates the enterprise applications for deletion consists of the following main processes during the automation. The technical setup and business configuration, such as the named business object types and orchestration sequences, have already been done.

  • Identify - Identification of personal data which needs to be deleted and the deletion orchestration requests with differentiation of application types, business object types and allowed combinations.
  • Validate - Validation on business object level of accuracy, manual approvals, deletion locks, legal holds, automatic veto checks against the deletion.
  • Delete - Deletion of the business objects itself by the commissioned application.
  • Document - Collection of information on deletion evidence for audit purposes and statistics on deletion process, key performance indicators, alerts or error cases.


Learn how this concept is applied in practice in our Reference Case or explore the full Solution Documentation.