Irish DPC Case Study on Right to Erasure: What Organizations Should Learn

The Irish Data Protection Commission (DPC) recently published a case study illustrating how a complaint under Article 17 of the General Data Protection Regulation (GDPR) the right to erasure was resolved amicably between a data subject and a data controller. While the case did not result in a fine or formal enforcement action, its details offer valuable guidance for organizations handling erasure requests and highlight best practices for compliant workflows.

Erasure Request Under Article 17 GDPR

In this matter the complainant submitted an erasure request via email under Article 17 GDPR. The controller was undergoing a transition to a new erasure-request process at the time and, as it turned out, the request was missed — likely due to human error or a technical oversight. The organization acknowledged the mistake, apologized, confirmed deletion of the data, and informed the DPC of its corrected actions. The complainant then agreed to the controller’s actions and the complaint was withdrawn.

The DPC described the case as an “amicable resolution” under Section 109 of the Data Protection Act 2018. The key learning point: data controllers can minimize risk by engaging proactively with data-subjects and supervisors while swiftly remedying oversights.

Why This Matters and the Irish Amicable Resolution DPC — Right to Erasure

Even though no formal sanction was issued, the case sends strong signals to organizations about how erasure-requests should be handled:

• Timeliness counts: The request was received during a transition period, yet the oversight drew scrutiny. It emphasizes that changes in internal processes should not interrupt rights-handling workflows.
• Documentation and explanation are crucial: The controller provided a detailed explanation of how the oversight occurred, showed transparency, and offered apology plus corrective measures—all of which helped lead to resolution.
• Deletion is not optional: The controller confirmed actual deletion of the personal data held for the individual, fulfilling the core requirement of Article 17.
• Supervisor engagement helps: The DPC’s involvement via mediation helped bring the parties together and demonstrates the advantage of cooperating rather than resisting early engagement with supervisory authorities.

Ensure Requests Workflows With This Guide

Here are practical steps organizations should review and implement:

• Ensure your erasure-requests workflow is distinct, documented, and operational—even during process transitions or system upgrades.
• Track and auditable log all erasure requests, including receipt date, requester identity (as required), controller action, deletion confirmation, notifications to the requester and record of any follow-up.
• If you miss a request, act quickly: acknowledge the issue, remediate, provide a transparent explanation, confirm deletion, and cooperate with the data subject (and if applicable, the supervisory authority).
• Train your teams and customer-facing personnel on the importance of rights-requests and ensure adequate staffing and oversight during change-management phases.
• Use a comprehensive rights-management platform (for example via Captain Compliance and our automated Data Subject Request tool) to automate inbound-request routing, status tracking, deletion workflows and audit-logging to support your compliance posture.

Wider Context: Erasure Rights Under GDPR

The right to erasure under Article 17 GDPR (also known as the “right to be forgotten”) allows data subjects to ask a controller to erase personal data where one of several grounds applies—such as no longer needing the data for its original purpose, withdrawal of consent, unlawful processing, or objections to processing. Organizations must evaluate each request, apply any applicable exemptions, and act without undue delay.

The DPC’s case study showcases how even relatively straightforward requests are subject to procedural scrutiny and that failure to respond or act can lead to complaints and regulatory engagement—even if no sanction ultimately follows.

Implications for Privacy Professionals

For privacy professionals, this case offers a reminder that:

• Rights-requests workflows must be resilient, including in times of internal change.
• Transparency and accountability carry weight: a simple apology and prompt action can significantly reduce risk and lead to amicable resolution rather than formal enforcement.
• Cooperation with supervisory authorities can soften exposure; responding to the DPC’s engagement helped the controller avoid escalation.
• Audit-ready logs are essential—not just policy-compliance in theory but proof of process in practice matters.

Erasure-Request Handling Process

Organizations should conduct a fresh review of their erasure-request handling process:

• Map how erasure requests are received (email, portal, phone), logged, validated, processed, executed (including actual deletion) and confirmed to the data subject.
• Confirm coverage of all relevant systems—including legacy, backups, data shared with third-parties and archived data—to ensure full deletion where required.
• Test what happens during system transitions or upgrades: ensure no rights-handling step is lost or delayed.
• Update or procure a rights-management tool that supports tracking, automation, deletion workflows, audit logs and reporting (e.g., Captain Compliance).
• Train staff, especially during change-projects, so that awareness of individual rights doesn’t drop when internal processes shift.

The DPC’s case study of amicable resolution of an erasure request might appear modest at first glance—but it reinforces core principles: rights-handling must work in practice, controllers must be accountable, and transparency matters. For organizations, addressing erasure requests efficiently is not just a regulatory checkbox—it’s a strategic imperative for building trust and minimizing risk.

If you’d like assistance preparing your erasure-request workflow, review vendor rights-management solutions, or integrate deletion workflows into your privacy program, we’d be happy to help you evaluate and implement the right approach just book a demo below with one of our privacy and compliance experts who knows how to handle EU, GB, US, and Global privacy matters.