How to Handle Data Deletion Requests in Irish Organizations

Data deletion requests form a cornerstone of the General Data Protection Regulation (GDPR) and are formally known as the right to erasure or the “right to be forgotten.” For Irish organisations, processing these requests correctly is not merely a legal obligation under the GDPR and the Irish Data Protection Act 2018, it is a critical component of building and maintaining trust with customers, employees, and other data subjects.

The right to erasure is outlined in Article 17 of the GDPR. It empowers individuals to request that an organisation delete their personal data without undue delay. However, this right is not absolute and must be balanced against other legal obligations such as retention requirements under tax law, employment law, or anti-money laundering regulations. Irish organisations must navigate these intersecting requirements carefully, ensuring they honour legitimate erasure requests while retaining data where necessary for compliance or defence of legal claims.

When Does the Right to Erasure Apply?

An individual’s right to have personal data erased applies in several specific circumstances. Organisations must acknowledge a valid request when any of the following conditions are met:

The personal data is no longer necessary for the purpose for which it was originally collected or processed.
The individual withdraws consent on which the processing is based, and there is no other legal ground for processing.
The individual objects to processing under Article 21(1) (processing based on legitimate interests or public interest) and there are no overriding legitimate grounds.
Personal data has been unlawfully processed (e.g., collected without valid legal basis).
Compliance with a legal obligation in EU or Member State law requires erasure.
Personal data has been collected from a child (under 16 in Ireland) in relation to information society services (e.g., social media) under Article 8.

Exceptions Where Erasure Cannot Be Granted

Organisations in Ireland may and must refuse erasure in certain cases. The GDPR provides for exceptions, which include:

Exercising the right of freedom of expression and information.
Compliance with a legal obligation (e.g., retention of payroll records for seven years by Irish Revenue Commissioners requirements).
The performance of a task carried out in the public interest or in the exercise of official authority.
Archiving purposes in the public interest, scientific or historical research, or statistical purposes where erasure would seriously impair the achievement of those objectives.
The establishment, exercise, or defence of legal claims.

Irish organisations must document the reasons for any refusal to erase data and inform the data subject of the refusal, the reasons, and their right to complain to the Data Protection Commission (DPC) within one month of receiving the request. The DPC, Ireland’s independent supervisory authority, sets the standard for compliance and can impose significant fines for mishandling requests.

Step-by-Step Process for Managing Data Deletion Requests in Ireland

Establishing a robust, repeatable workflow for handling data deletion requests reduces legal risk and operational confusion. Below is an expanded step-by-step guide tailored to the Irish regulatory context.

1. Receive and Log the Request

Any credible communication from a data subject requesting erasure should be treated as a formal request. This includes emailed requests, postal letters, verbal requests, or online forms. Organisations should log each request immediately in a centralised register that records the date received, the requester’s identity (subject to verification), and the specific data they want erased. A reasonable five-business-day initial acknowledgment period sets a positive tone.

It is important to distinguish a deletion request from a request for rectification, restriction of processing, or portability. If the individual’s intention is unclear, contact them within the same acknowledgment to clarify the scope of their request under Article 12 of GDPR.

2. Verify the Identity of the Requester

Before proceeding with any data removal, you must confirm that the requester is who they claim to be. Under the GDPR and Irish guidelines, you can request additional information to confirm identity, but you must not require excessive amounts of data. Simple measures include:

Asking for a copy of a government-issued ID (passport or driving licence) with non-essential details redacted.
Sending a verification email or SMS code to the registered contact address.
Verifying via two-factor authentication if the user has an account with your service.

Important: If the request is made on behalf of another person (e.g., by a parent or legal guardian), request proof of the individual’s authority to act. Irish law requires strict handling of third-party requests to prevent unauthorised deletion.

If you are unable to verify identity, you are entitled to refuse the deletion request, but you must inform the requester promptly and explain what information they need to provide to re-submit.

3. Assess the Legitimacy and Scope of the Request

Once identity is confirmed, evaluate whether the request falls under one of the Article 17 conditions (see earlier section). Consider the following factors:

Legal basis: On what grounds was the data originally processed? If it relies on consent that has been withdrawn, erasure is mandatory unless an exception applies.
Retention obligations: In Ireland, the Revenue Commissioners require employers to retain certain records (e.g., P60s, P45s, payroll records) for seven years. Similarly, the Statute of Limitations 1957 (as amended) may require retention of contract or claim-related data for up to six years.
Vital interests: If processing is necessary to protect the vital interests of the data subject or another person, erasure may be withheld.
Public health or safety: Organisations in healthcare or social care may need to retain data for public health purposes, in line with Irish health regulations.

Document your assessment findings and the legal basis for your decision. If the request is complex (e.g., involves multiple systems, backups, or third-party data processors), note that the timeline to respond (one month) may be extended by up to two additional months under Article 12(3), provided you inform the individual within the first month, including the reasons for delay.

4. Locate All Instances of the Individual’s Data

This step is often the most challenging for Irish organisations, especially those with fragmented IT systems, legacy databases, paper files, or extensive third-party data processors. A complete data mapping exercise is essential. Data deletion is not effective if copies remain in archived backups, CRM systems, email servers, cloud storage, or employee spreadsheets.

Practical tips for comprehensive data discovery:

Search across all databases, data warehouses, and data lakes.
Check email archives (e.g., Exchange or Office 365 retention policies).
Review logs and metadata storage.
Contact third-party processors (e.g., SaaS providers, HR platforms, marketing tools) and request confirmation that they will delete the data as per your data processing agreement (DPA). Under GDPR Article 28, processors must assist the controller in fulfilling erasure obligations.
Remember that backup data may need to be restored, amended, and re-backuped, or in some cases, the backup must be overwritten during its natural rotation cycle. If deletion from backups is technically infeasible (e.g., tape backups), you can restrict further processing of those backups until the next scheduled overwrite, provided you document this and notify the data subject.

5. Securely Delete the Data

Once you have located all instances, erase the data in a manner that prevents reconstruction. The Irish Data Protection Commission advises that deletion methods should be proportionate to the risk and sensitivity of the data.

Digital data: Use secure deletion tools that overwrite files with random patterns (e.g., DoD compliant methods for hard drives). For cloud data, ensure that the provider confirms deletion from all redundant copies.
Physical data: Have paper records shredded and disposed of by a certified destruction service. Maintain a certificate of destruction for audit trails.
Test/development environments: Ensure that no copies of the data exist in test or staging systems.

Where deletion is not possible due to technical constraints (e.g., in immutable backups), you must instead restrict processing until the data is overwritten naturally. This restriction should be communicated to the data subject.

6. Notify the Requester and Document the Outcome

After deletion, send a confirmation to the data subject within the statutory time frame (usually one month). The confirmation should include:

What data has been deleted (general description).
Where it has been deleted from (systems, departments).
Any data that could not be deleted and the legal basis for retention.
Information about their right to lodge a complaint with the Data Protection Commission if they are dissatisfied.

Maintain a detailed record of the entire process. This record should include:

The original request and identity verification details.
Assessment notes and decisions.
Logs of data discovery and deletion actions.
Correspondence with the requester and any third-party processors.
Date of completion.

These records must be kept secure and retained at least as long as any potential complaint period (typically up to two years from the request completion). The DPC may request to see them during an investigation.

7. Review, Audit, and Improve

Handling a data deletion request is not the end of the process. Organisations should schedule periodic audits of their data management practices, including a sample of deletion requests. Consider these review points:

Were all systems covered? Did a data deletion in one system leave copies in another?
Were response times within the one-month (or extended) timeline?
Were any patterns of incompleteness identified?
Are data retention schedules up to date with Irish legislation changes?

Use the insights from audits to refine your data mapping and deletion SOPs. Continuous improvement reduces the risk of non-compliance and builds a privacy-friendly culture.

Irish-Specific Legal Landscape and the Role of the Data Protection Commission

Operating in Ireland means that organisations must comply not only with the GDPR but also with the Data Protection Act 2018, which transposes certain GDPR provisions and introduces additional national derogations. The Data Protection Act 2018, for example, specifies when exemptions for processing for journalistic, academic, literary, or artistic purposes apply. It also defines processing of personal data for “personal or household purposes.”

The Data Protection Commission (DPC) is the lead authority for most cross-border GDPR cases within the EU (due to the location of many tech multinationals in Ireland). As such, Irish organisations of all sizes should be aware of the DPC’s enforcement priorities. The DPC has issued significant fines for failures related to the right to erasure, including cases where organisations failed to adequately delete data or failed to process requests within the statutory time limits.

Key Irish regulations that affect data retention and deletion:

Revenue Commissioners: Records relating to tax and VAT must be retained for six years from the end of the tax year. This includes payroll data, invoices, and receipts.
Employment legislation: The Terms of Employment (Information) Acts and the Organisation of Working Time Act require retention of certain employee records (e.g., working hours, wage slips) for at least three years.
Statute of Limitations 1957: Contractual claims have a six-year limitation period. For many organisations, retaining data for potential litigation defence is a valid lawful basis to refuse erasure for that period.
Anti-money laundering and counter-terrorism financing: The Criminal Justice (Money Laundering and Terrorist Financing) Acts 2010-2021 require designated entities to retain customer identification and transaction data for five years after the business relationship ends or the transaction is completed.

These obligations create a compliance burden: an organisation may have to retain some data for legal reasons while erasing others for the same individual. This underscores the need for a granular data classification system and clear retention schedules.

Practical Tips for Irish Organisations (Best Practices)

Implementing strong data governance is the most effective way to handle deletion requests. Below are actionable best practices grounded in DPC guidance.

Establish Clear, Written Policies

Develop a Data Subject Rights Policy that includes a specific section on the right to erasure. This policy should detail the process, the responsible staff members, escalation procedures, and how requests from minors are handled. Ensure the policy is approved by senior leadership and reviewed annually.

Train All Relevant Staff

Data deletion requests may come in through any customer-facing channel – not just the data protection officer (DPO). Reception staff, sales teams, and customer support agents should be trained to recognise a deletion request and escalate it immediately. Annual GDPR training should include case studies and simulations.

Implement a Data Deletion Log

Use a secure, auditable log (preferably a dedicated module in your privacy management software) to track each request from receipt to closure. Important fields include:

Request reference number
Date received and acknowledgment sent
Identity verification method used
Data discovered locations
Deletion method applied
Any data retained and legal basis
Date of completion
Any complaints or DPC referrals

Use Technology to Automate Discovery

Manual data discovery is error-prone. Invest in data discovery tools that index structured and unstructured data across network drives, email servers, and cloud applications. These tools can automate locating personal identifiers (name, email, PPS number) so that deletion requests can be executed faster and more thoroughly.

Partner with Third-Party Processors Explicitly

Your data processing agreements with vendors should include clear obligations to assist in deletion requests. Ensure your vendor management process includes quarterly checks that processors can meet your deletion SLAs. For cloud services, use their built-in tools (e.g., AWS S3 object deletion, Microsoft 365 compliance purge) and verify logs.

Provide Explicit Instructions on Your Website

Make it easy for data subjects to submit deletion requests by publishing a dedicated form or email address (e.g., [email protected]). Under Article 12, you must provide information on actions taken on a request “without undue delay and in any event within one month of receipt.” Having a clear process on your privacy policy page reduces confusion and avoids unnecessary delays.

Common Pitfalls and How to Avoid Them

Even with a solid process, organisations often stumble. Learn from these frequent missteps.

1. Failing to identify the request. If a customer says “please remove me from your system” that is a valid erasure request. Do not treat it as a simple account closure or opt-out. Train staff to flag any ambiguous language.

2. Delaying the response. The one-month clock starts from when you receive the request, not when you verify identity. If you need identity verification, inform the requester and pause the clock only after requesting additional information. The DPC expects prompt action.

3. Forgetting about backups and archives. Many organisations delete live databases while leaving archived emails or backup tapes untouched. This leads to a false sense of compliance. As noted earlier, backup management must be part of the process.

4. Refusing erasure without justification. If you refuse, provide a detailed explanation referencing the specific exemption and inform the data subject of their right to complain to the DPC. Generic refusals like “we keep all data for legal reasons” will likely be challenged.

5. Ignoring the request from former employees. Ex-employees are still data subjects. They can request deletion of their personal data from your HR systems, subject to retention obligations. Ensure the process covers leavers and alumni.

Resources for Irish Organisations

To stay compliant, Irish organisations should regularly consult the following resources:

Data Protection Commission (DPC) of Ireland – Official guidance on the right to erasure, including the DPC’s Information Notice on the right to erasure.
GDPR.eu – Right to be forgotten – Concise overview with scenarios and FAQs.
Data Protection Act 2018 (Irish Statute Book) – Full text of the primary national data protection law.
Revenue.ie – Employer Obligations – Clarifies retention requirements for tax and payroll records.
Office of the Data Protection Commission – Case studies – Real enforcement examples illustrating proper and improper handling of deletion requests.

Conclusion

Handling data deletion requests properly is a sign of a mature data protection culture. For Irish organisations, the need to balance individual rights with legal retention obligations is a constant challenge, but it can be managed through clear policies, thorough training, systematic data discovery, and meticulous documentation. By embedding the right to erasure into everyday operations rather than treating it as an occasional incident, organisations reduce regulatory risk, foster trust with their stakeholders, and contribute to a privacy-respecting digital environment in Ireland.

Start by auditing your current process against the steps outlined above. If you identify gaps, create a remediation plan with timelines and assign ownership. The effort you invest today in managing deletion requests correctly will pay dividends in compliance and reputation for years to come.