Compliance

GDPR Data Erasure: Right to Erasure and Secure Data Destruction

Since the European Union began enforcing the General Data Protection Regulation in May 2018, supervisory authorities have levied over 5 billion euros in fines. Among the most common violations: failing to erase personal data when legally required. GDPR gives every individual in the EU and UK the right to have their personal data permanently destroyed — and it requires organizations to prove they did it properly. If you process personal data of EU or UK residents, this applies to you, regardless of where your servers sit.

Key Takeaways:

  • GDPR Article 17 gives individuals the right to request permanent erasure of their personal data, and organizations must comply within one month
  • The regulation applies to any organization worldwide that processes EU or UK residents' data — not just companies based in Europe
  • Deleting a file is not the same as erasing it — GDPR requires data to be rendered irrecoverable using proper sanitization methods
  • Penalties reach up to 20 million euros or 4% of annual global turnover, whichever is greater
  • You must document your erasure process to satisfy GDPR's accountability principle — a certificate of data erasure is the most practical way to do this

What GDPR Says About Data Erasure

Three articles in the GDPR deal directly with data erasure. Understanding what each one requires — in plain English — is the foundation for building a compliant process.

Article 17: The Right to Erasure (Right to Be Forgotten)

This is the headline provision. Article 17 states that an individual (called a "data subject" in GDPR language) has the right to ask any organization holding their personal data to erase it. The organization must comply "without undue delay" — which means within one calendar month of receiving the request.

The right is not absolute. Article 17 lists six specific grounds under which an individual can demand erasure, and also lists exceptions where an organization can refuse. But when none of those exceptions apply, the obligation is clear: destroy the data so it cannot be recovered.

The right to erasure also applies when a data subject withdraws consent. If the only legal basis for processing someone's data was their consent, and they revoke it, you must erase their data. There is no grace period and no option to simply "archive" it for later.

Article 5(1)(e): Storage Limitation

This is the provision many organizations overlook. Article 5(1)(e) requires that personal data be "kept in a form which permits identification of data subjects for no longer than is necessary" for the purposes it was collected. In practical terms: if you collected someone's email address to complete an order, you cannot keep that data indefinitely once the order is fulfilled and any legal retention period has passed.

Storage limitation means organizations need defined retention periods for every category of personal data they hold, and they must erase that data when the retention period expires — whether or not anyone files an erasure request. This creates an obligation for proactive, systematic data destruction, not just reactive responses to individual requests.

Article 32: Security of Processing

Article 32 requires organizations to implement "appropriate technical and organizational measures" to secure personal data. While this article is primarily about cybersecurity, it directly impacts data erasure because secure disposal is part of data security. Improperly erasing data — for example, throwing a hard drive in a dumpster or performing a quick format and selling a laptop — constitutes a failure to implement appropriate technical measures.

Data protection authorities have consistently interpreted Article 32 as requiring that when personal data reaches the end of its lifecycle, the destruction method must be proportionate to the sensitivity of the data. Credit card numbers and medical records demand more rigorous destruction than a newsletter subscriber list.

When You Must Erase Personal Data

Article 17 specifies six grounds on which a data subject can request erasure. If any one of these conditions is met, you must erase the data unless a specific exception applies.

1. The data is no longer necessary. You collected someone's data for a specific purpose, that purpose has been fulfilled, and there is no legal reason to keep it. Example: a job applicant's resume after the position has been filled and any equal-opportunity retention period has expired.

2. The individual withdraws consent. If consent was the legal basis for processing and the individual revokes it, you must erase the data. You cannot fall back on a different legal basis after the fact.

3. The individual objects to processing. Under Article 21, individuals can object to processing based on legitimate interests or public interest. If you cannot demonstrate compelling legitimate grounds that override the individual's interests, you must erase the data.

4. The data was processed unlawfully. If you collected or processed data without a valid legal basis, erasure is mandatory.

5. A legal obligation requires erasure. If EU or member state law requires you to erase the data, you must comply.

6. The data was collected from a child in relation to an online service. Data collected from minors under the conditions of Article 8 (consent for information society services) is subject to erasure on request, with a lower threshold for compliance.

When You Can Refuse

Organizations can refuse an erasure request when the data is needed for exercising freedom of expression, complying with a legal obligation that requires processing under EU or member state law, performing a task in the public interest, archiving in the public interest or scientific and historical research, or establishing, exercising, or defending legal claims. You must still respond to the request within one month, explain your refusal, and inform the individual of their right to complain to a supervisory authority.

Logical Deletion vs. Actual Erasure

This distinction is where many organizations get into trouble. GDPR requires that personal data be erased — made irrecoverable. But the default "delete" operation on every operating system does not actually erase data. It removes the file system pointer (the entry in the file table that says "this file exists here"), leaving the actual data intact on the storage device until the operating system happens to overwrite that space with something new.

What "delete" actually does: The operating system marks the disk space as available for reuse. The data remains physically present. Anyone with basic data recovery software — often free to download — can retrieve it.

What GDPR requires: Data must be put "beyond use." The UK ICO (Information Commissioner's Office) has used this phrase specifically: personal data should be rendered such that it cannot be practically recovered by any means. This goes well beyond clicking "delete" or emptying a recycle bin.

The database problem: For data stored in databases and applications (not just files on a hard drive), logical deletion often means setting a "deleted" flag on a record rather than actually removing it from the database. The data remains in the database, in database backups, in transaction logs, and potentially in data warehouse replicas. A GDPR-compliant erasure process must address all of these locations — not just flip a flag in the primary application.

The backup problem: Personal data typically exists in backup systems. When an individual requests erasure, that data needs to be removed from backups too, or at minimum, marked for exclusion when backups are restored. Most data protection authorities accept that purging individual records from encrypted backup archives may be technically impractical, provided you have controls to prevent restoration of the deleted data and the backups eventually age out through their normal retention cycle. Document this approach in your data protection policy.

Technical Methods That Satisfy GDPR

GDPR does not name a specific technical standard for data erasure. Article 17 simply requires that data be erased. Article 32 requires "appropriate technical measures." This gives organizations flexibility, but it also means you need to choose a method that would withstand scrutiny from a data protection authority.

In practice, following NIST 800-88 Rev. 2 is the most widely accepted way to demonstrate that your erasure methods are technically sound. While NIST is a U.S. standard, it is recognized internationally and frequently cited by European data protection practitioners as a best-practice framework.

For Hard Disk Drives (HDDs)

A verified single-pass overwrite of the entire drive is sufficient. NIST 800-88 confirms that modern HDD densities make a single pass adequate — the outdated idea that multiple overwrite passes are needed comes from 1990s drive technology. After overwriting, a verification step confirms the pattern was written successfully.

Free tools like DBAN or ShredOS can perform this operation. For drives containing regulated personal data, using professional software that generates a certificate of erasure provides the documentation GDPR's accountability principle demands.

For Solid State Drives (SSDs)

Overwriting an SSD does not provide the same assurance as overwriting an HDD. SSDs use wear leveling algorithms that distribute writes across flash memory cells to extend drive life. This means an overwrite operation cannot reach every physical cell — some cells containing old data will be skipped by the wear leveling controller. Over-provisioned areas (extra capacity reserved by the SSD for internal management) are also invisible to the operating system.

For SSDs, proper erasure requires firmware-level commands:

  • ATA Secure Erase — instructs the SSD controller to erase all cells, including over-provisioned and reallocated areas
  • NVMe Sanitize (Block Erase or Crypto Erase) — the equivalent command for NVMe drives
  • Cryptographic erase — for self-encrypting drives, destroying the encryption key renders all data permanently unreadable

These commands operate at the drive firmware level and can reach storage areas that are inaccessible to the operating system.

Physical Destruction

When drives are being decommissioned and will not be reused, physical destruction is an acceptable alternative. Shredding, disintegration, or incineration renders data irrecoverable. For SSDs, destruction must address all individual NAND flash chips — simply breaking a circuit board in half is not sufficient.

Physical destruction eliminates the possibility of reuse, which increases hardware costs but provides the highest level of certainty that data cannot be recovered.

Bottom Line: GDPR does not tell you which erasure method to use, but it requires that you can prove the method works. Following NIST 800-88 Rev. 2, using verified firmware-level commands for SSDs, and generating a certificate of erasure for every drive you sanitize is the most defensible approach. If a data protection authority investigates, you want documented evidence — not verbal assurances.

How to Build a GDPR-Compliant Erasure Process

A GDPR-compliant data erasure process is not just a technical procedure — it is an organizational workflow that covers the entire lifecycle of personal data, from collection to destruction.

Step 1: Map Your Personal Data

Before you can erase data, you need to know where it lives. Conduct a data mapping exercise (required under Article 30 anyway) to identify every system, database, application, file share, cloud service, backup system, and physical device that stores personal data. This includes employee laptops, mobile devices, USB drives, printers with internal storage, and decommissioned equipment in storage closets.

Step 2: Define Retention Periods

For each category of personal data, define how long it needs to be kept and the legal basis for that retention period. Customer transaction data might need to be retained for tax purposes for a set number of years. Job application data might only need to be kept for the duration of the recruitment process. Once the retention period expires, the data must be erased — this is not optional under Article 5(1)(e).

Step 3: Establish Erasure Procedures

Document specific procedures for each type of storage:

  • Active databases: Define how records are purged (not just flagged as deleted) and how downstream systems and data warehouses are updated
  • File systems: Define how files containing personal data are securely overwritten or the underlying media sanitized
  • Hard drives and SSDs: Follow NIST 800-88 Rev. 2 — overwrite HDDs, use firmware-level commands for SSDs
  • Cloud storage: Confirm your cloud provider's data deletion policies and timeline, and obtain written confirmation of deletion when possible
  • Backup systems: Document your approach to handling erasure requests for data in backups
  • Paper records: Include physical document destruction procedures (shredding, incineration)

Step 4: Handle Individual Erasure Requests

Build a workflow to receive, validate, process, and respond to erasure requests within the one-month deadline. This workflow should include identity verification (you need to confirm the requester is who they claim to be), a check against the exemptions listed in Article 17, coordination across all systems that hold the individual's data, and a confirmation sent back to the requester once erasure is complete.

Step 5: Automate Where Possible

For storage limitation compliance (the proactive, scheduled erasure required by Article 5(1)(e)), manual processes do not scale. Implement automated data retention policies in your databases and file systems. For hardware decommissioning, standardize on a single erasure tool that generates certificates automatically and maintains an audit trail. Our guide to wiping a hard drive covers the technical steps for individual drives.

Documentation and Proof of Erasure

GDPR's accountability principle (Article 5(2)) states that you must not only comply with the regulation — you must be able to demonstrate that you comply. For data erasure, this means keeping records.

What to Document

For every erasure event — whether triggered by an individual request or by an expiring retention period — record:

  • What was erased: The category of personal data and the systems or devices involved
  • When it was erased: Date and time of the erasure
  • How it was erased: The method used (overwrite, firmware-level erase, cryptographic erase, physical destruction) and the standard followed (e.g., NIST 800-88 Rev. 2 Purge)
  • Who performed the erasure: The individual or team responsible
  • Verification results: Confirmation that the erasure was verified successfully

Certificates of Data Erasure

A certificate of data erasure is a formal document generated by professional erasure software that captures all of the above information in a tamper-proof format. It typically includes the drive serial number, make and model, the erasure method applied, the start and end time, verification results, and a unique certificate identifier.

For GDPR compliance, erasure certificates serve two purposes. First, they satisfy the accountability principle by providing auditable proof. Second, they create a paper trail that can be produced during regulatory investigations, data subject access requests, or legal proceedings. Tools like BitRaser Drive Eraser and Blancco generate these certificates automatically for every drive processed.

If you use free tools that do not generate certificates, you will need to create equivalent documentation manually — recording the same information in a log, spreadsheet, or asset management system. This is doable but adds operational overhead and is harder to maintain consistently at scale.

GDPR Penalties for Failing to Erase Data

GDPR enforcement has teeth. Violations of Article 17 fall under the regulation's higher penalty tier.

The Penalty Structure

  • Maximum fine: 20 million euros or 4% of annual global turnover, whichever is greater
  • Corrective powers: Supervisory authorities can also issue warnings, reprimands, orders to comply, temporary or permanent bans on processing, and orders to communicate a data breach to affected individuals

The 4% turnover calculation applies to the entire corporate group, not just the subsidiary that committed the violation. For multinational companies, this can translate to fines in the hundreds of millions or even billions of euros.

Real-World Enforcement

Data protection authorities have not been shy about issuing large fines. Meta received a 1.2 billion euro fine from the Irish DPC in 2023 for data transfer violations. Amazon was fined 746 million euros by Luxembourg's CNPD. While these headline cases involved broad processing violations rather than erasure specifically, smaller but significant fines have targeted erasure failures directly.

Organizations have been fined for continuing to send marketing emails after individuals requested erasure, for failing to delete personal data from systems after the purpose of collection had ended, for retaining employee data beyond the legally permitted period, and for inadequate data destruction when decommissioning IT equipment.

The pattern is clear: supervisory authorities view the right to erasure as a fundamental data subject right, and failure to honor it draws enforcement action. For organizations that also handle U.S. health data, similar data destruction requirements exist under HIPAA, making a unified erasure process valuable for dual compliance.

Extra-Territorial Reach

GDPR Article 3 gives the regulation extra-territorial scope. If your organization is based in the United States, Japan, Brazil, or anywhere else outside the EU, but you process personal data of EU residents — whether through a website accessible from the EU, through having EU customers, or through monitoring EU individuals' behavior — GDPR applies to you. This includes its data erasure requirements and its enforcement provisions. EU data protection authorities can and have pursued enforcement actions against non-EU organizations.

The UK GDPR, which took effect after Brexit, mirrors these provisions with the UK ICO as the supervisory authority. Organizations handling both EU and UK data should treat the two frameworks as functionally equivalent for data erasure purposes.

Recommended Software for GDPR-Compliant Erasure

Choosing the right erasure tool depends on your scale, the types of storage media you handle, and whether you need automated compliance documentation.

Enterprise and Regulated Organizations

Blancco is the most widely deployed enterprise erasure platform in Europe. It supports centralized management of erasure across thousands of drives, generates certificates of erasure that reference GDPR and NIST 800-88, and integrates with IT asset management systems. Blancco is the go-to choice for large organizations, IT asset disposition (ITAD) companies, and enterprises that need to demonstrate compliance across multiple sites and jurisdictions.

BitRaser Drive Eraser provides similar capabilities with a focus on compliance reporting. It generates tamper-proof certificates referencing NIST 800-88, IEEE 2883, and GDPR. BitRaser supports both HDDs and SSDs (including firmware-level Purge commands for SSDs) and offers cloud-based certificate storage for centralized audit trails. It is a strong fit for mid-sized organizations and IT departments that need professional-grade erasure without the complexity of a full enterprise deployment.

Small and Mid-Sized Businesses

KillDisk offers a balance between capability and cost. It supports multiple erasure standards, works with both HDDs and SSDs, and provides certificates of erasure. Its per-drive licensing model can be more economical for organizations that do not process high volumes of hardware. KillDisk is a practical choice for businesses that handle occasional hardware decommissioning rather than continuous IT asset turnover.

Choosing Based on Your Needs

The key features to look for in any GDPR-focused erasure tool are: support for firmware-level SSD commands (ATA Secure Erase, NVMe Sanitize), automated verification after erasure, certificate of erasure generation, and audit-trail capabilities. Free tools can handle the technical erasure, but they typically lack the documentation features that GDPR's accountability principle demands. For a full comparison, see our best data erasure software roundup.

Frequently Asked Questions

What does GDPR say about data erasure?

GDPR Article 17 gives individuals the right to request that organizations erase their personal data without undue delay. Organizations must comply when the data is no longer necessary for its original purpose, when consent is withdrawn, when the individual objects to processing, or when the data was processed unlawfully. Article 5(1)(e) also requires that personal data not be kept longer than necessary, and Article 32 requires appropriate security measures — including secure disposal — to protect personal data.

Does GDPR apply to companies outside the EU?

Yes. GDPR has extra-territorial scope under Article 3. Any organization that offers goods or services to individuals in the EU or UK, or that monitors the behavior of individuals in the EU or UK, must comply with GDPR — regardless of where the organization is physically located. A company in the United States that processes EU customer data is subject to GDPR, including its data erasure requirements.

Is deleting a file the same as erasing it under GDPR?

No. Deleting a file through the operating system only removes the pointer to that data — the actual contents remain on the storage device until overwritten. GDPR requires that personal data be rendered irrecoverable, which means using proper data sanitization techniques such as overwriting, firmware-level erase commands, cryptographic erasure, or physical destruction. A simple file deletion does not satisfy the regulation.

What are the penalties for failing to erase data under GDPR?

Violations of Article 17 (Right to Erasure) fall under the higher penalty tier: up to 20 million euros or 4% of annual global turnover, whichever is greater. Supervisory authorities can also issue warnings, reprimands, and orders to comply. Since GDPR enforcement began in 2018, data protection authorities across Europe have issued billions of euros in total fines, with erasure-related failures contributing to several high-profile penalties.

How long does an organization have to respond to an erasure request?

Organizations must respond to a data subject erasure request without undue delay and at most within one calendar month of receiving the request. This deadline can be extended by two additional months for complex or numerous requests, but the organization must inform the individual of the extension and the reasons within the initial one-month window.

Do I need a certificate of data erasure for GDPR compliance?

GDPR does not explicitly require a certificate of erasure, but Article 5(2) imposes an accountability principle — you must be able to demonstrate compliance. In practice, this means maintaining auditable records of when, how, and by whom data was erased. A certificate of data erasure generated by professional software provides exactly this documentation and is considered best practice by most data protection authorities.

What technical methods satisfy GDPR data erasure requirements?

GDPR does not prescribe a specific technical standard, but it requires that erasure render data irrecoverable. Following NIST 800-88 Rev. 2 is widely accepted as meeting this requirement. For HDDs, a verified single-pass overwrite is sufficient. For SSDs, firmware-level commands such as ATA Secure Erase or NVMe Sanitize are necessary because overwriting cannot reach all data due to wear leveling. Physical destruction is also acceptable when drives are not being reused.

Can an organization refuse a GDPR erasure request?

Yes, in specific circumstances. Organizations can refuse if the data is needed for exercising the right of freedom of expression, for compliance with a legal obligation, for public health purposes, for archiving in the public interest or scientific research, or for establishing, exercising, or defending legal claims. The organization must inform the individual of the refusal, the reasons, and their right to lodge a complaint with a supervisory authority.

Does GDPR require erasing data from backups?

GDPR does not create an explicit exception for backup systems, so technically the right to erasure extends to backups. However, most data protection authorities accept a pragmatic approach: if erasing from backups is technically impossible or disproportionately difficult, you can instead ensure the data is not restored from backup and will be erased when the backup expires through its normal lifecycle. You must document this approach and ensure the data in backups remains protected.

How does UK GDPR differ from EU GDPR on data erasure?

UK GDPR, which took effect after Brexit, is nearly identical to EU GDPR on data erasure provisions. Article 17 and the Right to Erasure remain the same in substance. The main differences are administrative — the UK Information Commissioner Office (ICO) is the supervisory authority instead of EU data protection authorities, and penalties are denominated in British pounds rather than euros. Organizations handling both EU and UK data should treat the requirements as functionally equivalent.

The Bottom Line

GDPR requires that personal data be permanently erased — not just deleted — when an individual requests it or when your retention period expires. Follow NIST 800-88 Rev. 2 as your technical framework, use firmware-level commands for SSDs, and generate certificates of erasure for every drive you process. The penalties for getting this wrong reach 4% of global turnover. If you also handle California resident data, see our CCPA/CPRA data destruction guide for the US equivalent. Start with our complete guide to wiping a hard drive for step-by-step technical instructions.

Last updated: February 2026. We regularly review and update our guides to ensure accuracy.

Sources:

Related Articles

HIPAA Hard Drive Wipe: Data Destruction Requirements for Compliance
View all Compliance →