Overview of a Data Erasure Request Form

What is a Data Erasure Request Form?

A Data Erasure Request Form can be used to make a request for deletion under the GDPR. A request for erasure can be made by the data subject themselves, or by a third party on behalf of the data subject. If you are making a request on behalf of a data subject, you need to have proof of both your own and the data subject’s identities, as well as written authorisation from the data subject to make the request on their behalf.

Data subjects can exercise their right to erasure when:
-The personal data is no longer necessary for the purposes for which it was originally collected or processed;
-The data subject’s consent is relied on to collect the data, and the data subject withdraws that consent;
-The data subject objects to processing that is based on legitimate interest, and the data controller has no overriding legitimate interest or other legal basis to collect the data;
-The data subject believes that the personal data was unlawfully processed or collected;
-The data must be erased to comply with a legal obligation; or
-The data was processed in relation to the offer of information society services to a child.

A data controller may refuse to comply with a request for erasure if their processing of the data is:
-Protected by the right to freedom of expression;
-Necessary to comply with a legal obligation for the performance of a public interest task or exercise of official authority;
-For health purposes in the public interest;
-For archiving purposes in the public interest, scientific or historical research, or statistical purposes; or
-Necessary to exercise or defend legal claims.

A data controller may also refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into consideration whether the request is repetitive in nature.

To prevent fraudulent requests from people impersonating others, data controllers must be satisfied of the applicant’s identity before processing requests for erasure. This document requires applicants to provide identification documents that prove their identity. A passport or other government-issued ID is not required. Applicants are also asked to obscure parts of the document (e.g. ID number) that are not relevant to their request, as long as the remaining information identifies the data subject making the request, and shows the validity of the document itself. Applicants may also obscure any photograph in the identification document, unless they are asking for removal of photographs. Data controllers should use this information solely to help assess and document the authenticity of data erasure requests.

Under the GDPR, data controllers are obliged to respond to requests for erasure within 30 days.

Key points included

-Details of the data subject;
-Details of the applicant (if different from the data subject);
-Proof of identity;
-Grounds for erasure;
-Information to be erased;
-Declaration.

Ready to get started?


Create a free account now and explore all of the Zegal features.

Get Started

No credit card required