Espresso Data Privacy’s data deletion concept enables GDPR-compliant orchestration of personal data erasure, aligning with the right to be forgotten under GDPR Article 5 and 17. It provides a technical framework for automating complex deletion processes across enterprise systems.
The General Data Protection Regulation (EU) 2016/679 (GDPR) is a key piece of EU legislation on data protection and privacy, applicable across the European Union (EU) and the European Economic Area (EEA). It reinforces fundamental rights under Article 8(1) of the EU Charter of Fundamental Rights by granting individuals stronger control over their personal data. The GDPR aims to harmonize data protection laws, ensure lawful and purpose-limited processing, and create a consistent regulatory environment for international organizations. Replacing the former Data Protection Directive 95/46/EC, the GDPR applies to any organization—regardless of location—that processes personal data of individuals within the EEA.
The commonly known "right to be forgotten" was formalized as the "right to erasure" in Article 17 of the GDPR, adopted by the European Parliament in March 2014. It gives data subjects the right to request the deletion of their personal data under certain conditions - such as unlawful processing or overriding legitimate interests - typically within 30 days of the request.
However, the GDPR also introduces a broader obligation to delete personal data automatically when it is no longer required for its original purpose - as outlined in Article 17(1)(a) and reinforced by the storage limitation principle in Article 5(1)(e). The Swiss Federal Act on Data Protection (FADP, Art. 6(3)) contains an equivalent requirement, mandating that personal data must not be retained longer than necessary for its intended processing purpose.
Your company uses multiple software applications to store and manage diverse data. The data in these applications is in turn related to each other. Personal data must be able to be completely deleted according to the above information on GDPR and Article 5 and 17. In order to ensure that your company survives an audit based on Article 5 and 17 of GDPR, the following main points need to be clarified:
The knowledge of these main points is of crucial relevance for the deletion of personal data in your company, since the sequence of deletions within dependent business object types is based on them. The following figure illustrates the situation.
If the number of business object types to be deleted exceeds a value that is no longer manageable for manual deletion, the company will need to automate deletion. This is also the case especially if the dependencies between the business object types are complex and different applications have to be considered. Manual deletion errors can be avoided and a deletion evidence for audit reasons will be created.
A then required deletion automation system that orchestrates the enterprise applications for deletion consists of the following main processes during the automation. The technical setup and business configuration, such as the named business object types and orchestration sequences, have already been done.
Learn how this concept is applied in practice in our Reference Case or explore the full Solution Documentation.