Data subjects have a right to ask controllers for the deletion of their personal data (see the “Right to Erasure” subsection in the “Data Subjects’ Rights” section of the General part of these Guidelines). However, the use of cloud computing, the existence of diverse servers and repositories, the possibility that the data are processed by different processors and controllers, makes it hard to ensure that all backup copies and the personal data –and not only their encryption keys- are deleted. To avoid such results, controllers should monitor procedures carefully.

Finally, controllers shall keep in mind that this right does not cover processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or when it will ‘adversely affect the rights and freedoms of others’. If deleting some data might cause severe damage to the rights and freedoms of others, erasure should not be allowed. Needless to say, this involves the need to balance the different interests involved.