EU Regulation
GDPR Right to Erasure (Article 17): Data Destruction and the Right to Be Forgotten
The EU General Data Protection Regulation, Regulation (EU) 2016/679, gives individuals a right to erasure of their personal data under Article 17, often called the right to be forgotten. When personal data reaches end of life on physical storage media, secure destruction is how an organization completes erasure. All Green Recycling's data destruction processes are operationally aligned to the GDPR erasure and accountability obligations.
What Is the GDPR Right to Erasure?
The EU General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR), is the European Union’s data-protection law, in force since 25 May 2018. Article 17 establishes the right to erasure: individuals can require a controller to delete their personal data, and controllers must erase data that is no longer necessary for the purpose it was collected.
Publisher: European Parliament and Council of the European Union
Key citations: Article 17 (right to erasure); Article 5(1)(e) (storage limitation); Article 5(2) (accountability); Article 32 (security of processing)
Legal force: Directly applicable EU regulation. Enforced by national Data Protection Authorities, coordinated by the European Data Protection Board.
The GDPR has extraterritorial reach. It applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is established, when it offers goods or services to or monitors the behavior of those individuals. A U.S. company holding EU customer data on its servers is in scope.
What Does GDPR Require for Erasure and Media Disposal?
GDPR requires controllers to erase personal data when it is no longer needed, to honor valid erasure requests without undue delay, to secure data throughout its lifecycle, and to demonstrate that erasure occurred. On physical storage media, secure destruction is the mechanism that completes erasure.
Right to erasure (Article 17)
A controller must erase personal data without undue delay when one of the Article 17 grounds applies, including that the data is no longer necessary, consent is withdrawn, or the data was unlawfully processed. Erasure must be effective: data held on decommissioned drives must be destroyed, not merely deleted at the file-system level.
Storage limitation (Article 5(1)(e))
Personal data must be kept in a form that permits identification for no longer than necessary. When a retention period ends, the data, including copies on backup tapes and retired drives, must be disposed of.
Security of processing (Article 32)
Controllers and processors must implement appropriate technical measures to secure personal data, including during disposal. Destruction that renders media unreadable satisfies this obligation at end of life.
Accountability (Article 5(2))
The controller must be able to demonstrate compliance. For media disposal, this means retaining a destruction record that shows which devices were destroyed, when, and by what method.
Processor obligations and Article 28 contracts
When a controller engages a vendor to destroy media, that vendor is a processor under Article 28, and the relationship must be governed by a written contract that binds the processor to act only on the controller’s instructions, to apply appropriate security, and to return or delete the data at the end of the service. A destruction vendor therefore operates under documented instructions and provides the controller with evidence of the completed erasure, which feeds directly into the controller’s own accountability record.
Backups, copies, and the practical limits of erasure
Article 17 reaches every copy of the personal data, not just the primary record. Personal data frequently persists on backup tapes, archival drives, and decommissioned arrays after it has been deleted from production systems. A controller that honors an erasure request, or that retires data at the end of its retention period, must account for those secondary copies. End-of-life destruction of backup media and retired storage is how the controller closes the gap between deleting a live record and ensuring no recoverable copy remains.
How All Green Recycling Aligns to GDPR
All Green Recycling’s data destruction processes are operationally aligned to the GDPR obligations that govern end-of-life media: effective erasure, security of processing, and accountability. Destruction provides the verifiable, irreversible erasure that file deletion cannot.
| GDPR obligation | All Green Recycling control |
|---|---|
| Effective erasure (Art. 17) | Hard Drive Shredding and SSD Destruction eliminate the media |
| Erasure for redeployed assets | Cryptographic Erase and verified wiping where the device is reused |
| Security of processing (Art. 32) | Chain of custody and Witnessed Destruction options |
| Accountability (Art. 5(2)) | Certificate of Destruction with serialized inventory and date |
All Green Recycling does not claim to be “GDPR-certified.” The GDPR is a regulation, not a certification scheme. The company states that its destruction processes satisfy the requirements of the GDPR for the erasure and secure disposal of personal data on physical media, and it evidences that with a Certificate of Destruction that serves as the controller’s accountability record.
Who Must Comply With GDPR?
GDPR applies to controllers and processors that handle the personal data of individuals in the EU. A controller determines why and how personal data is processed. A processor handles personal data on the controller’s behalf. A data destruction or IT asset disposition vendor acts as a processor when it destroys media holding personal data.
The regulation’s extraterritorial scope means that organizations outside the EU are in scope when they offer goods or services to EU residents or monitor their behavior. United States enterprises with EU customers, EU employees, or EU operations therefore inherit the erasure and disposal obligations for any media holding that data, even when the physical destruction takes place at a facility in the United States.
The duty is shared across the data chain. A technology company that hosts EU user data is a controller for that data and a processor when it handles a customer’s data on their behalf, and a financial services firm with EU clients holds the same obligations for account records. In each case the organization must ensure that any downstream destruction vendor is bound by an Article 28 processing agreement and produces erasure evidence, because the controller remains answerable to the supervisory authority for personal data anywhere in its supply chain.
Enforcement and Consequences
National Data Protection Authorities enforce the GDPR. Article 83 sets two penalty tiers. The higher tier reaches the greater of €20 million or 4 percent of total worldwide annual turnover for the preceding financial year.
Failure to erase: Ignoring a valid Article 17 request, or retaining personal data past its retention period on decommissioned media, is an infringement subject to the higher penalty tier.
Inadequate security at disposal: A data breach traced to improperly disposed media engages Article 32 and can trigger both administrative fines and individual compensation claims under Article 82.
Accountability failure: An organization that cannot demonstrate that personal data was erased, because it kept no destruction records, fails the Article 5(2) accountability principle even if the data was in fact destroyed.
Cross-border and reputational exposure: Because supervisory authorities coordinate through the European Data Protection Board, an infringement involving individuals in several member states can draw a single lead authority and a coordinated penalty. Published enforcement decisions also carry reputational weight that extends well beyond the fine itself, particularly for organizations that market themselves on data stewardship.
Frequently Asked Questions
Does the GDPR right to erasure require physical destruction of drives?
The GDPR right to erasure under Article 17 requires that personal data be effectively and irreversibly removed, but it does not mandate one specific method. For data on end-of-life storage media, physical destruction such as shredding provides the strongest evidence of irreversible erasure. For devices that will be reused, a verified cryptographic erase or overwrite that renders the data unrecoverable also satisfies the obligation, provided the result is documented.
Is GDPR compliance mandatory for United States companies?
Yes, when a United States company processes the personal data of individuals in the EU. The GDPR applies extraterritorially under Article 3 to organizations that offer goods or services to EU residents or monitor their behavior, regardless of where the organization is located. A U.S. enterprise with EU customers or employees must honor erasure requests and securely dispose of media holding that personal data, even when destruction occurs at a U.S. facility.
How does All Green Recycling satisfy GDPR erasure requirements?
All Green Recycling’s data destruction processes are operationally aligned to the GDPR obligations for end-of-life media. The company physically destroys drives to achieve irreversible erasure, applies cryptographic erase or verified wiping where assets are redeployed, and issues a Certificate of Destruction that serves as the controller’s accountability record under Article 5(2). All Green Recycling describes this as process-alignment, not a GDPR certification, because the GDPR is a regulation rather than a certification scheme.
What is the difference between deletion and erasure under GDPR?
Deletion at the operating-system level removes the file pointer while the underlying data remains recoverable, which does not satisfy the GDPR right to erasure. Erasure under Article 17 requires that the personal data be rendered genuinely irretrievable. On physical media this means destruction or a verified sanitization method that defeats laboratory recovery, accompanied by a record demonstrating the data can no longer be reconstructed.
What documentation demonstrates GDPR-compliant erasure of media?
The accountability principle in Article 5(2) requires a controller to demonstrate compliance, so a destruction record is essential. The Certificate of Destruction from All Green Recycling lists the serialized devices, the destruction date, and the method applied, which evidences that personal data on those media was irreversibly erased. This record supports responses to Data Protection Authority inquiries and to individual erasure-request confirmations.
How does GDPR interact with United States data-disposal laws?
GDPR governs personal data of EU individuals, while United States laws such as the HIPAA Disposal Rule, the GLBA Safeguards Rule, and the FACTA Disposal Rule govern specific categories of U.S. data. An organization operating across both regimes applies the strictest applicable disposal standard. Documented destruction that renders media unreadable satisfies the disposal obligations of all of these frameworks simultaneously.
Can a United States destruction facility satisfy a GDPR erasure obligation?
Yes. The GDPR does not require that destruction occur inside the EU. It requires that personal data be effectively erased, that the processing be secured, and that the controller be able to demonstrate the result. A controller may transfer end-of-life media to a United States destruction facility provided the transfer and processing are governed by an Article 28 agreement and appropriate safeguards, and provided the controller receives evidence of the completed destruction. The Certificate of Destruction supplies that evidence, mapping each serialized device to its destruction date and method so the controller can satisfy a supervisory authority regardless of where the physical destruction took place.
How quickly must media be destroyed after an erasure request?
Article 17 requires erasure without undue delay, and Article 12 sets a general response window of one month for acting on a data-subject request, extendable by two further months for complex cases. In practice, personal data on a live system is deleted promptly, while the same data on end-of-life media is destroyed on the organization’s next scheduled decommissioning cycle. The key is that the controller can show a defined process and a destruction record for the media, rather than leaving retired drives holding erasable data indefinitely. All Green Recycling supports scheduled pickups so retired media move to destruction within a predictable window and the controller can evidence timely erasure.
Need compliant destruction services that satisfy GDPR Right to Erasure (Article 17)?
Bonded · Insured · Certificate of Destruction · Methods follow GDPR Right to Erasure (Article 17)