Data subjects have a right to ask controllers the deletion of their personal data under article 17 GDPR (see the section “Right to Erasure” in the “Data subject rights”, Part II of these Guidelines). However, the use of cloud computing, the existence of diverse servers and repositories, the possibility that the data are processed by different processors and controllers makes it hard to ensure that all backup copies and the personal data –and not only their encryption keys- are deleted. To avoid such results, IoT developers should monitor procedures carefully.

Finally, controllers shall keep in mind that this right does not cover processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’ or when it will ‘adversely affect the rights and freedoms of others’. If deleting some data might cause severe damage to the rights and freedoms of others, erasure should not be allowed. This involves the need to balance different interests involved.