In the era of digital empowerment, ex-employees aren’t just walking out with experience—they’re walking out with rights. One of the most significant is the Right to Be Forgotten (RTBF) under data protection laws, such as the GDPR and India’s Data Protection Act 2023.
Picture this: You’re in HR or the compliance team. You get an email from a former team member that reads:
“As per GDPR Article 17, I request you to erase all my personal data.”
Sounds simple, right? But what follows is a legal tightrope walk.
What Is RTBF, and When Does It Apply?
The Right to Be Forgotten is a fundamental right under Article 17 of the GDPR, allowing individuals to request the deletion of personal data when:
- It’s no longer necessary for its original purpose
- Consent is withdrawn
- The data was unlawfully processed
- It’s required to comply with a legal obligation
However, this right is not absolute.
RTBF Does Not Apply If:
- Data is required for legal compliance.
- Needed to establish, exercise, or defend legal claims.
- Required for public interest (e.g., health, research, archives).
This balance is crucial when the data subject is a former employee.
A Step-by-Step Blueprint to Handle RTBF Requests
1️. Acknowledge the Request (Timely)
Under the GDPR, you are required to respond within 30 days. Acknowledge receipt and initiate a verification process.
Sample: "We’ve received your RTBF request and will respond within the timelines defined under GDPR/DPDPA."
2️. Verify Identity (Securely)
You cannot delete data based on an unauthenticated email. Request:
- Government ID
- Employment reference number
- Match with internal HR records
3️. Locate the Data (Comprehensively)
This means pulling data from:
- HRMS and payroll systems
- Emails, collaboration tools (Teams, Slack)
- Attendance logs and biometric systems
- Third-party vendors (background verification, SaaS platforms)
Use your RoPA (Record of Processing Activities) to map where the data lives.
4️. Evaluate Legal Retention (Rationally)
Here’s a quick table that shows what to keep vs. what to consider deleting:
Data Type | Retention Reason | Duration |
Payroll & tax records | Legal obligation (Income Tax Act, Companies Act) | 7+ years |
Employee contracts | Legal defense or audits | 3–6 years (varies) |
Disciplinary records | Legitimate interest | Until litigation window closes |
Exit interviews | Internal policy & HR trends | Limited period |
5️. Delete What You Can (Compliantly)
- Anonymize or erase personal records that are no longer needed
- Inform vendors to update or delete relevant entries
- Clean logs, credentials, and shadow access from internal tools
Don't delete documents still required under tax, labor, or audit laws.
6️. Close the Loop (Clearly)
Send a final response explaining
- What data was deleted
- What was retained and why
- DPO contact for escalation
Case Study: A Realistic RTBF Scenario
Case: A content writer resigned and requested RTBF enforcement under GDPR.
Steps Taken:
- Verified identity using ID and HR records.
- Extracted records from email, HRMS, and Slack.
- Retained salary slips (7 years—income tax).
- Deleted Slack messages and app credentials.
- Shared RTBF closure summary within 25 days.
Outcome: Compliance ✔️, Transparency ✔️, Trust ✔️
Cross-Border Perspective: GDPR vs DPDPA
Regulation | Key RTBF Provision | Notable Highlights |
GDPR (EU) | Article 17 | Includes public interest and legal claims as exceptions |
DPDPA (India) | Sections 12 & 14 | Allows withdrawal of consent and correction/erasure on request |
Final Takeaways: Privacy + Process = Power
A former employee’s RTBF request isn’t a nuisance—it’s an opportunity to show data accountability.
- Always validate identity first.
- Map data across systems (HR + IT + Legal).
- Respect retention laws before deletion.
- Document everything—you may need to show proof of action.
RTBF is not just a right—it’s a test of organizational maturity.
References:
- GDPR Article 17
- ICO RTBF Guidelines
- DPDPA 2023 Portal
- CourseKonnect Live Courses
