Article 17 of the GDPR covers the Right to erasure, although this provision is more commonly known as 'the right to be forgotten'.  

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay..."

The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data.

Under Recital 65, the GDPR also encourages organisations to be precautious with requests coming from individuals that have given consent for processing when they were under the age of 16. 

Main Things to Know

  • You must give students an easy way to request a data purge from your systems. 
  • Once an erasure request is made you must execute it without undue delay and within 30 days. 
  • If the information is stored on multiple systems, you must purge the data from all of them. 
  • If you have disclosed the information to any third parties,  you must inform them about the erasure of the personal data, unless it is impossible or involves disproportionate effort to do so.

What you could do to be compliant:  

1. Create a form that will manage data purge requests. See an example of such a form here. You will be able to embed the form on a relevant page on your website or just include a link to the self-hosted form in your privacy policy page. Alternatively, you can create a landing page that will contain information on data protection and privacy policies, which will link to this form amongst other relevant pages. This approach will also help you stay compliant with the right to be informed. You can see an example of such a landing page built using Gecko's landing page feature here: https://lp-eu.geckoform.com/demo/gdpr

2. You may also want to include a link to the form or landing page at the bottom of your emails or in other types of communications that would permit this. 

3. Configure a workflow on the form to trigger a message to your Data Protection Officer, or any other member of staff who would be responsible for taking action. You may also wish to add additional labels or update contact fields automatically on the go through the workflows, which would allow you to easily filter your requests in the future. 

4. Delete the contact record from Gecko and other systems you use to store contact information. Please note that most systems, including ours, will 'soft delete' or 'archive' the record as opposed to purging it from the database. This ensures that contacts can be restored if deleted accidentally. For purge requests, you will need to ensure that the data is not simply archived but purged without the ability to be restored at some point in the future. Gecko will be adding the option for users to permanently purge contacts in a future update, but we would recommend contacting the support team of any other systems you make use of to enquire about their data purging procedures.

5. Once the purge is made, inform the student as well as any third parties with whom the data was shared (such as agents or external marketing firms) of the purge. 

6. Please keep in mind that Gecko stores backup copies of your data for 15 days. Purging an individual contact's data from the backup files is difficult and time-consuming. If you fail to delete a contact record within the first 15 days of the request, we might need to delete the backup files as opposed to restoring the individual backups and deleting individual records from them. We strongly advise you to act on a data purge request within 15 days of receiving the request as this will ensure that the data is purged from our backups by the time the 30-day threshold is reached. 

Data purges with Gecko Protect: 

The new Gecko Protect add-on offers a dedicated feature for managing data purge requests. With Gecko Protect, you can generate a unique URL within your outbound comms that will direct students to a Contact Portal. Students are able to confirm their identity via email or SMS and edit their personal data via the portal. Here's an example of how the contact portal page will look like for a student:  

Once a purge request is made through the contact portal, the assigned users in your account will be notified via email. All purge requests made by students are logged in a dedicated area in settings: 

Purge requests will not be executed automatically, but will await a manual confirmation from an authorised user in your account. If the purge request is not confirmed by a user within 15 days, the system will execute the purge automatically and inform the student as well as the assigned users in your instance. This process will ensure that your university stays compliant with this provision of the GDPR. 


Any questions? Feel free to start a live chat with a member of our support team or explore the rest of our academy at your leisure.

Did this answer your question?