A Data Principal's right to have their personal data completely erased when processing is no longer necessary.
The Right to Erasure allows Data Principals to demand deletion of their personal data when: the specified purpose has been served, consent has been withdrawn, or there is no longer a legal basis for continued processing. Upon receiving an erasure request, the Data Fiduciary must delete the data from all systems and direct all processors to do the same. Exceptions exist for statutory retention requirements and legitimate legal claims.
Erasure requests can be complex when data is spread across multiple systems and processors. You need automated workflows that identify all instances of a person's data and orchestrate deletion across your entire technology stack.
A former user of a Delhi dating app requests full erasure. The app must delete their profile, photos, chat history, match data, and analytics records — and instruct AWS (hosting), Twilio (SMS), and Firebase (push notifications) to delete their data too.
The right to erasure is not absolute. Legal obligations (tax records, court orders) can override erasure requests. But you must still delete all data not covered by a specific legal retention requirement.
DPDPA Shield automates Data Principal Rights. See how →