Right to Erasure/Blocking
Plain English Translation
Data subjects may demand the suspension, blocking, removal, or destruction of their personal data where it is incomplete, outdated, false, unlawfully obtained, or being used for an unauthorized purpose. This right of erasure and blocking must be supported by a documented process for reviewing and acting on valid requests. Controllers must notify relevant third parties of any blocking or erasure that has taken place.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Create a standard operating procedure for manually identifying and deleting user records from primary databases upon verified request.
- Implement basic status flags to 'block' data from active processing while a deletion request is being evaluated.
Required Actions (scaleup)
- Implement automated data deletion scripts that trigger across all integrated databases and applications when a verified request is approved.
- Establish a formal Data Subject Request ticketing queue to track request receipt, evaluation, and resolution timelines.
Required Actions (enterprise)
- Deploy enterprise-grade data lifecycle management tools that automatically execute cryptographic erasure across active storage and complex backups.
- Integrate webhook notifications to automatically cascade deletion commands to all downstream third-party data processors and vendors.
It is the right of a data subject to suspend, withdraw, or order the blocking, removal, or destruction of their personal data from a personal information controller's filing system.
A data subject can request deletion upon discovery and substantial proof that their data is incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary.
Any personal data that is proven to be incomplete, outdated, false, unlawfully obtained, used for unauthorized purposes, or no longer necessary for its original declared purpose.
The company must verify the requestor's identity, evaluate the provided proof, and upon validation, promptly block or destroy the data across all systems, while logging the actions taken.
The data subject must present substantial proof demonstrating that the data falls under the specific statutory conditions, such as evidence that it is outdated, false, or unlawfully obtained.
While the statute does not explicitly use the term 'right to be forgotten,' the right to erasure, removal, or destruction of personal data provides a very similar protective mechanism.
Yes, a company can legitimately refuse if the data is still strictly necessary for the performance of a contract, a legal obligation, dispute resolution, or if the request is deemed vexatious.
While the DPA does not always state a specific day count for every request type, organizations are required to act immediately or within a reasonable timeframe as defined by general NPC guidelines.
Blocking restricts further processing without deleting the data, removal takes it out of active systems, and destruction permanently obliterates the data so it cannot be recovered.
Organizations should maintain a comprehensive Data Subject Request Log detailing the request date, identity verification, technical actions taken, and notifications sent to third parties. Tools like WatchDog Security's Compliance Center can help retain evidence of request handling, approvals, and completion status for audit review.
Erasure requests often fail when teams cannot prove intake, review, approval, deletion actions, and third-party notices were handled consistently. Tools like WatchDog Security's Compliance Center can centralize control ownership, request evidence, action logs, and framework mappings so the organization can demonstrate a repeatable process.
Approved erasure or blocking requests may require notifying processors, vendors, or other recipients that previously received the data. Tools like WatchDog Security's Vendor Risk Management can maintain a vendor catalog, processor relationships, and follow-up records so third-party notification obligations are easier to track.
"The data subject shall have the right to suspend, withdraw or order the blocking, removal or destruction of his or her personal data from the personal information controller’s filing system."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Team | Initial publication |

