GDPR Article 17 gives individuals the right to request permanent deletion of their personal data. Simply deleting files or emptying the recycle bin does not satisfy this requirement because the data remains recoverable on the drive. Compliance requires overwriting the data using a recognized erasure standard (such as NIST 800-88 or DoD 5220.22-M) and maintaining documentation that proves the erasure was performed. Univik File Eraser performs certified data wiping and generates erasure reports that serve as compliance documentation for GDPR audits.
Introduction
When a customer or employee submits a data erasure request under GDPR, your organization has 30 days to comply. The regulation does not define the technical method you must use. It states that personal data must be erased “without undue delay” and that the erasure must be permanent. This creates a practical problem: most organizations delete files the normal way (right-click and delete or format the drive) without realizing that standard deletion leaves the data fully recoverable.
A GDPR supervisory authority auditing your erasure process will ask two questions. First: was the data actually destroyed beyond recovery? Second: can you prove it? This guide covers the technical requirements for both. It explains what Article 17 demands and which erasure methods satisfy those demands and how to generate the documentation that proves compliance during an audit.
What Article 17 Requires
Article 17 of the General Data Protection Regulation establishes the “right to erasure” (commonly called the “right to be forgotten”). When a data subject submits a valid erasure request, the data controller must erase all personal data relating to that individual without undue delay. The regulation sets a maximum response time of one calendar month from receiving the request. Extensions of up to two additional months are permitted for complex requests but the data subject must be informed of the delay within the first month.
The obligation extends beyond your own systems. Article 17(2) states that if you have made the personal data public, you must take “reasonable steps” to inform other controllers who are processing that data to erase it as well. This includes any third-party services or processors you have shared the data with.
The regulation does not prescribe a specific technical method for erasure. However, Recital 26 clarifies that data is only considered anonymous (and therefore outside GDPR scope) when it cannot be linked back to an individual by “any means reasonably likely to be used.” This means your erasure method must make recovery unreasonable, not just inconvenient.
What Counts as Personal Data
GDPR defines personal data broadly. Any information that can directly or indirectly identify a living individual falls under the regulation. The scope is wider than most organizations expect.
| Category | Examples | Common File Locations |
|---|---|---|
| Direct identifiers | Full name and email address and phone number | CRM databases and email archives and contact lists |
| Online identifiers | IP addresses and cookie IDs and device fingerprints | Server logs and analytics databases and tracking pixels |
| Financial data | Bank details and transaction records and invoices | Accounting software and payment databases and spreadsheets |
| Employment records | Salary details and performance reviews and contracts | HR systems and shared drives and email attachments |
| Special category data | Health records and biometric data and political opinions | Healthcare databases and access control systems |
| Pseudonymized data | Hashed identifiers and encrypted records with key access | Data warehouses and research databases |
Pseudonymized data remains personal data under GDPR as long as the organization retains the means to re-identify the individual. Only fully anonymized data (where re-identification is not reasonably possible) falls outside the regulation’s scope.
The Six Legal Grounds for Erasure
A data subject can request erasure under any of these six conditions defined in Article 17(1).
1. Purpose fulfilled. The data was collected for a specific purpose and that purpose has been completed. A job application kept after the hiring decision is a common example.
2. Consent withdrawn. The individual originally provided consent for processing and has now withdrawn it. If consent was the sole legal basis for processing, the data must be erased.
3. Right to object. The individual objects to processing under Article 21 and there are no overriding legitimate grounds to continue processing.
4. Unlawful processing. The data was processed without a valid legal basis. This includes data collected without proper consent or beyond the scope of a contract.
5. Legal obligation. Erasure is required to comply with an EU or member state law.
6. Child’s data. The data was collected from a child in connection with information society services (such as social media or apps). Children receive enhanced protection under GDPR.
When You Can Refuse an Erasure Request
Article 17(3) lists specific exceptions where you can legitimately refuse an erasure request. Understanding these exceptions is important because over-deletion (erasing data you were legally required to retain) creates its own compliance problems.
Freedom of expression. Data required for journalistic purposes or academic and artistic and literary expression. A news organization can retain published articles containing personal data.
Legal obligation to retain. Tax records and accounting documents and employment records often have mandatory retention periods under national law. In the UK, HMRC requires financial records for six years. German tax law mandates ten years for certain documents.
Public health. Data processed in the public interest for public health purposes (such as disease monitoring or pharmaceutical safety) can be retained.
Archiving in public interest. Data kept for scientific or historical research or statistical purposes where erasure would seriously impair the research objectives.
Legal claims. Data necessary for establishing or exercising or defending legal claims. If litigation is pending or reasonably anticipated, you can retain relevant data until the matter concludes.
When refusing a request, you must inform the data subject of the refusal and the reason within one month. You must also inform them of their right to lodge a complaint with a supervisory authority.
Why Pressing Delete Is Not Enough
Standard file deletion removes only the file system pointer. The actual data remains on the drive in the same physical location until the operating system happens to overwrite that space with new data. On a drive with available storage, deleted files can persist for months or years.
This matters for GDPR because free data recovery tools can retrieve deleted files in minutes. If your erasure process consists of deleting files and emptying the recycle bin, a supervisory authority can demonstrate that the data was not actually erased. The same applies to formatting a drive: a standard format clears the file table but leaves the data sectors intact.
Even a factory reset with the “Clean the drive” option (which performs a single-pass zero overwrite) may not satisfy regulators in high-risk scenarios. The UK Information Commissioner’s Office (ICO) guidance on data disposal recommends using overwriting software that meets recognized standards and generating a certificate of destruction as evidence of compliance.
Which Erasure Standards Satisfy GDPR
GDPR does not mandate a specific erasure standard. However, regulatory guidance and industry best practices point to several recognized methods that demonstrate due diligence.
| Standard | Passes | Recognized By | Recommended For |
|---|---|---|---|
| NIST 800-88 Clear | 1 + verification | US government and widely adopted in EU | General business data on SSDs and HDDs |
| NIST 800-88 Purge | Varies by media | US government and widely adopted in EU | Sensitive data and special category data |
| DoD 5220.22-M | 3 | US Department of Defense | Standard business and personal data on HDDs |
| HMG Infosec Standard 5 | 1 (overwrite + verify) | UK government (NCSC) | UK organizations and public sector |
| BSI-GSE (German Federal Office) | 1-7 (risk-based) | German BSI | German organizations and EU public sector |
| Gutmann | 35 | Academic standard | Legacy magnetic media (not needed for modern drives) |
For most GDPR compliance scenarios, NIST 800-88 Clear (for routine personal data) or DoD 5220.22-M (for sensitive records) provides sufficient assurance. The critical factor is not the number of passes but the ability to verify that the overwrite completed successfully and to document it.
How to Perform GDPR-Compliant Erasure with Univik File Eraser
Univik File Eraser supports multiple recognized erasure standards and generates the compliance documentation that GDPR audits require. Here is the workflow for handling an Article 17 erasure request.
Step 1: Locate all instances of the data subject’s personal data. Search your file systems and email archives and databases and backup drives for any files containing the individual’s information. Check shared drives and local copies and email attachments. GDPR requires you to erase all copies, not just the primary record.
Step 2: Select the appropriate erasure scope. Use “Wipe Files/Folders” to target specific files containing the individual’s data. This mode overwrites only the selected items without affecting other data on the drive. For situations where personal data was scattered across many locations, use “Wipe Free Space” after deleting the identified files to ensure no recoverable remnants remain.
Step 3: Choose an erasure standard. Select DoD 5220.22-M (3-pass) for standard personal data or NIST 800-88 for routine erasure with verification. For special category data (health records or biometric data or data about children), consider the 7-pass DoD ECE method for additional assurance.
Step 4: Execute the erasure and save the report. Univik File Eraser generates an erasure report upon completion. This report documents the files overwritten and the erasure standard used and the date and time of completion and the verification result. Save this report in your GDPR compliance records.
Step 5: Confirm erasure to the data subject. Respond to the individual within the 30-day deadline confirming that their personal data has been permanently erased from all systems. If you shared their data with third-party processors, confirm that you have notified those processors to erase it as well.
Generating an Erasure Certificate
Documentation is the difference between claiming compliance and proving it. When a supervisory authority investigates your data handling practices, they will request evidence that erasure requests were fulfilled completely and permanently.
An effective erasure certificate should contain the following elements.
Erasure Certificate Contents
Date and time of erasure: Exact timestamp when the wiping process completed
Erasure standard used: The specific method applied (e.g., DoD 5220.22-M 3-pass)
Files or areas wiped: List of files destroyed or confirmation that free space was wiped
Drive identification: Serial number or identifier of the storage device
Verification result: Confirmation that the overwrite completed without errors
Operator identification: Name or ID of the person who performed the erasure
Data subject reference: Internal reference number linking to the erasure request (not the individual’s personal data)
Univik File Eraser generates reports that include the erasure method and file list and completion timestamp and verification status. Pair this report with your internal records (the original erasure request and your response to the data subject) to create a complete audit trail. Store these records according to your organization’s retention policy for compliance documentation.
Hidden Storage Locations You Must Address
The most common GDPR erasure failure is incomplete scope. Organizations erase the primary record but overlook copies of personal data stored in less obvious locations.
Email archives: Correspondence with or about the data subject contains personal data. Search Outlook PST files and email server archives and sent folders for messages containing the individual’s name or email address or account number.
Backup drives and tapes: If your backup system captured the data before the erasure request, those backups still contain the personal data. GDPR allows a pragmatic approach: you can note the erasure obligation and apply it when the backup is next restored or rotated rather than restoring every backup to delete one record.
Cloud sync and collaboration tools: Files shared via OneDrive or Google Drive or SharePoint or Slack may have copies in multiple team members’ sync folders. Check shared drives and collaboration spaces.
Application caches and logs: CRM systems and customer support platforms and analytics tools often cache personal data locally. Browser auto-fill databases may contain names and addresses and phone numbers from form submissions.
Temporary files and system caches: Windows pagefile.sys and hiberfil.sys and temporary directories can contain fragments of personal data from documents that were open in memory. The “Clean System Traces” feature in Univik File Eraser targets these system-level caches that manual deletion misses.
Frequently Asked Questions
What is the penalty for non-compliance with GDPR erasure requests?
Failure to comply with Article 17 can result in fines of up to 20 million euros or 4% of annual global turnover (whichever is higher). Supervisory authorities consider factors like the severity of the violation and whether the organization demonstrated good faith efforts. Maintaining proper erasure documentation significantly reduces risk.
Does GDPR apply to paper records?
Yes. GDPR applies to personal data in filing systems structured by reference to individuals. Paper records organized for retrieval by name or reference number are covered. Physical documents should be cross-cut shredded (DIN 66399 security level P-4 or higher).
How do I handle erasure requests for data in active databases?
Delete the individual’s records and run a secure overwrite on the freed database space. For databases that use soft-delete (marking records as inactive), you must perform a hard delete that removes data from storage. Verify that transaction logs do not retain deleted records indefinitely.
Does encryption satisfy the erasure requirement?
Several EU data protection authorities accept cryptographic erasure (destroying the encryption key) as valid when the encryption is strong enough that decryption without the key is not reasonably possible. However, you must prove that the key was destroyed and that no copies exist. Physical overwriting provides a more direct compliance path.
Do I need to erase data from all backups immediately?
Regulators generally accept a pragmatic approach. You can record the erasure obligation and apply it when the backup is next accessed or when the media reaches its scheduled rotation. You must not actively restore personal data from a backup after receiving a valid erasure request. Document your backup erasure policy as part of your GDPR records.
Conclusion
Last verified: February 2026. GDPR Article 17 requirements verified against the regulation text (Regulation (EU) 2016/679). Erasure standards verified against NIST SP 800-88 Rev. 1, UK NCSC guidance on secure sanitization and German BSI IT-Grundschutz methodology. Penalty figures current as of the regulation text. Supervisory authority guidance referenced from ICO (UK) and CNIL (France) published guidance on data disposal.
GDPR compliance is not just about deleting files. It requires permanent destruction of personal data using a method that makes recovery unreasonable and documentation that proves the destruction was performed. Standard deletion and factory resets fail both tests. Univik File Eraser addresses both requirements: it overwrites data using recognized standards (NIST 800-88 and DoD 5220.22-M and Gutmann) and generates erasure reports that serve as audit-ready compliance documentation.
GDPR erasure in three steps: (1) Locate every copy of the data subject’s personal data across all systems. (2) Permanently destroy each copy using Univik File Eraser with a recognized erasure standard. (3) Save the erasure report and confirm deletion to the data subject within 30 days. The report is your proof of compliance.
