What Is the Right to Erasure? GDPR, Turkish Data Protection Law (KVKK), and Back-Up Compliance in Light of the EDPB Report

The report shows that the right to erasure is one of the most frequently exercised GDPR rights by data subjects. However, in practice, controllers often tend to view this right merely as a technical response to an individual request. In fact, the GDPR framework demonstrates that the right to erasure is not simply a request-handling process; rather, it constitutes a corporate compliance area directly linked to data retention policies, data lifecycle management, system architecture, and, in particular, back-up infrastructures.

1. Overview within the Framework of GDPR, International Data Protection Law, and KVKK

In personal data protection law, the right to erasure is regarded as one of the most important safeguards enabling individuals to retain control over their personal data. It refers to the possibility for individuals to request the removal of their personal data from the controller where such data is no longer necessary for the purpose for which it is processed. Today, the most visible and systematic regulation of this right is found in Article 17 of the European Union General Data Protection Regulation (GDPR).

Under Article 17 GDPR, the right to erasure is frequently associated in public discourse with the "right to be forgotten" and is intended to enable individuals to regain control over data relating to them in the digital environment. Accordingly, a data subject may request the erasure of personal data where:

• The personal data is no longer necessary for the purpose of processing,
• The processing is based on consent and that consent is withdrawn,
• The data has been processed unlawfully,
• The data subject exercises the right to object,
• Erasure is required under a legal obligation

However, the right to erasure is not an absolute right. Article 17(3) GDPR provides that a controller may refuse an erasure request in circumstances involving:

• Freedom of expression,
• Legal obligations,
• Archiving in the public interest,
• Scientific or historical research,
• The establishment, exercise, or defense of legal claims.

The origins of the right to erasure in international data protection law are not limited to the GDPR. Council of Europe Convention 108 of 1981 and its updated version, Convention 108+, established that personal data should not be retained for longer than necessary for the relevant purpose and that individuals should have effective rights over their personal data. These conventions elevated the principles of data minimization and storage limitation to core principles of international data protection law.

In Turkish law, however, the right to erasure is not regulated directly under a separate heading such as "right to erasure," as it is under the GDPR. Instead, the system is constructed through the combined reading of data subject rights (Article 11 of the Turkish Personal Data Protection Law, "KVKK") and the obligation to erase, destroy, or anonymize data (Article 7 KVKK).

Within this framework, the data subject has the right to:

• Learn whether personal data is being processed,
• Request information if personal data has been processed,
• Learn the purpose of processing and whether data is used in accordance with that purpose,
• Know the third parties to whom data is transferred domestically or abroad,
• Request rectification where personal data has been processed incompletely or inaccurately,

as well as the right to:

"request the erasure or destruction of personal data."

While this right is recognized as an application right under Article 11 KVKK, in practice it is also linked to the erasure regime regulated under Article 7 KVKK.

"Where the reasons requiring the processing of personal data cease to exist, personal data shall be erased, destroyed, or anonymized by the controller ex officio or upon the request of the data subject."

This provision demonstrates that, in Turkish law, the erasure mechanism is not solely a right operating upon request; it is also an obligation that the controller must fulfill on its own initiative.

Accordingly, although the GDPR and the KVKK employ different terminology, they are based on a common principle: personal data may not be retained indefinitely in active systems, archives, or back-up environments once its legal basis has ceased to exist.

2. EDPB 2025 CEF Report: Findings on the Implementation of the Right to Erasure Across Europe

Under the 2025 Coordinated Enforcement Framework, the EDPB conducted a broad review of the implementation of the right to erasure.

The report examined:

• 32 European data protection authorities,
• 764 controllers,
• Numerous sectors and public institutions.

The main objectives of the report were stated as:

• To identify how the right to erasure is implemented in practice,
• To determine the technical and legal challenges faced by controllers,
• To highlight examples of good practices.

According to the EDPB, the right to erasure is one of the GDPR rights most frequently exercised by data subjects and constitutes a significant portion of complaints submitted to data protection authorities.

a) Lack of procedures for handling erasure requests

It was found that many controllers do not have clear and documented procedures on how erasure requests should be assessed. This creates risks such as:

• Inconsistent handling of requests,
• Divergent practices among different departments,
• Weakened accountability of the controller.

The EDPB emphasizes that controllers should establish clear and tested internal policies and procedures for handling erasure requests.

A similar approach exists in Turkish law. Under the KVKK, controllers are required to prepare a personal data retention and destruction policy and to explain erasure processes within their policies and procedures. In this respect, a procedure-based approach constitutes a core element of compliance in both systems.

The EDPB has identified the following actions as good practices for controllers:

• Establishing written procedures for erasure requests,
• Designating a central responsible unit for request handling,
• Documenting the erasure process.

b) Lack of awareness

According to the EDPB, personnel in many organizations do not receive sufficient training on how to identify, classify, and process requests under Article 17 GDPR through the relevant internal procedures. This may lead to erasure requests being misinterpreted or handled late. The report highlights role-based training and periodic awareness activities as good practices.

c) Insufficient information provided to data subjects

Another issue highlighted in the report is the insufficient information provided to data subjects regarding the scope of the right to erasure, how to submit a request, applicable time limits, and possible grounds for refusal. The EDPB recommends that privacy notices should be clear and accessible and that data subjects should be adequately informed throughout the process.

d) Uncertainty regarding retention periods

Another major issue identified in the report is the failure to define retention periods on a data-category basis. The storage limitation principle set out in Article 5(1)(e) GDPR requires that personal data be kept only for as long as necessary for the purposes for which it is processed.

According to the EDPB, many controllers:

• Do not establish data category-based retention policies,
• Apply the same retention period to all data sets,
• Or leave retention periods effectively undefined.

This directly makes the implementation of the right to erasure more difficult.

Under Turkish law, controllers are required to specify retention periods in their personal data processing inventory and to clearly indicate them in their retention and destruction policy. Moreover, where controllers meet the relevant criteria, they must register with the Data Controllers Registry Information System (VERBIS), where such retention periods must also be declared on a categorical basis. In this respect, the Turkish system ties the determination of retention periods to a more explicit procedural framework.

e) Misapplication of erasure exceptions

One of the justifications frequently invoked by controllers in the report is the following: "The data is retained due to a legal obligation."

However, in many cases, controllers fail to demonstrate in concrete terms:

• Which legislation imposes the retention obligation,
• Which category of data must be retained,
• What the applicable retention period is.

According to the EDPB, abstract claims of legal obligation are not sufficient grounds to reject an erasure request.

f) Erasure in back-up systems

One of the most striking issues identified in the EDPB's 2025 CEF report concerns the management of erasure processes in back-up systems. It was found that, although many controllers erase personal data from active systems, the same data often continues to be retained in back-up environments. This is a common implementation issue, particularly within large-scale IT infrastructures.

Back-up systems are critical infrastructures used to:

• Preserve data integrity,
• Enable recovery in the event of system failures or data loss,
• Protect against ransomware attacks.

For this reason, many organizations consider it technically risky to directly alter back-up files, as doing so may compromise the structural integrity of the back-up.

While the EDPB acknowledges this technical reality, it also clearly emphasizes an important principle: "The existence of back-up systems does not eliminate the erasure obligation."

In other words, a controller may not allow personal data erased from active systems to remain indefinitely accessible or reusable in back-up environments.

A parallel approach exists in Turkish law. The definition of "recording medium" in the relevant Regulation covers all media on which personal data is stored.

The Turkish Erasure Guideline also defines erasure as "rendering personal data inaccessible and non-reusable for relevant users." Accordingly, the mere existence of personal data in back-ups does not automatically amount to unlawfulness; however, the fact that such data remains accessible and reusable creates legal risk.

Does the Erasure Obligation Also Cover Back-Up Environments?

Under the GDPR, the concept of "processing of personal data" is not limited to active databases. Any environment in which personal data is stored forms part of the processing infrastructure. This includes:

• Physical back-up media,
• External drives,
• Tape archives,
• Cloud back-up systems,
• Disaster recovery systems.

Accordingly, it is not sufficient to erase personal data only from production systems. The same data must also be brought under control within back-up systems.

That said, the EDPB report acknowledges that, due to technical realities, it may not always be possible to erase back-up data instantly. Therefore, the report states that controllers must establish alternative control mechanisms to comply with their erasure obligations.

How Should Erasure Be Managed in Back-Up Systems?

In practice, one of the main challenges faced by controllers is that back-up files are generally stored as complete data sets. For this reason, isolating and erasing records relating to a single data subject from a back-up file may not always be feasible.

In such cases, controllers are advised to implement the following mechanisms:

1. Central recording of erasure requests

To ensure the erasure obligation can be enforced in back-up systems, erasure requests must first be centrally recorded.

These records should generally include:

• The date of the erasure request,
• The identity of the data subject,
• The categories of data to be erased,
• The systems from which the data has been erased.

These records are particularly important for determining which data must be erased again if a system is restored.

2. Re-erasure mechanism after restoration

According to the EDPB, the appropriate good practice is as follows: "if a system is restored and previously erased data is brought back from back-ups, that data must be erased again."

Controllers are therefore advised to establish mechanisms such as:

• Automated data checks after restoration,
• Comparison against a list of erased data,
• A re-erasure procedure.

This approach preserves the integrity of back-up systems while preventing infringement of the right to erasure.

3. Determining back-up retention periods

The EDPB report found that many controllers do not define clear retention periods for back-up data.

Under a good practice approach, clear retention periods should be set for different back-up layers such as:

• Daily back-ups,
• Weekly back-ups,
• Monthly archival back-ups.

For example:

• Daily back-ups → 30 days
• Weekly back-ups → 90 days
• Monthly archives → 1 year

In this way, back-up data can be automatically overwritten and removed from the system in due course. This makes the erasure obligation technically manageable.

4. Access control for back-up data

Even where back-up data is not immediately erased, it must not remain accessible or usable.

For this reason, controllers should:

• Separate back-up environments from production systems,
• Restrict employee access,
• Prevent back-up data from being opened for operational use.

This approach is also consistent with the definition in the Turkish Erasure Guideline, namely that data should be rendered inaccessible and non-reusable for relevant users.

5. Anonymization or data masking

The EDPB report also notes that some controllers apply practices in back-up systems such as:

• Replacing personal data with random strings of characters,
• Anonymizing the data within the data set.

These methods reduce personal data risk without compromising the structural integrity of the back-up. The report also identifies the following as good practices used by some controllers:

• Central recording of erasure requests,
• Establishing an automated erasure mechanism after restoration,
• Defining back-up retention periods,
• Logging erasure operations in a verifiable manner,
• Using random string replacement techniques to preserve the integrity of back-ups while neutralizing personal data.

g) Account closure is not the same as erasure

The EDPB report also highlights another common mistake made by controllers: "treating account closure as equivalent to erasure."

However, these two concepts are different:

Account closure means terminating the user's access to the system. Erasure means the termination of the controller's authority to process the data and the removal of the data from the relevant systems.

Therefore, even if an account has been closed, erasure is not deemed to have taken place where the personal data continues to be retained in:

• CRM systems,
• Marketing data sets,
• Analytics platforms,
• Profiling algorithms.

A similar approach also applies under Turkish law. Erasure does not mean merely removing visibility from the user interface; rather, it means rendering the data inaccessible and non-reusable for relevant users.

3. Erasure Processes from the Perspective of ISO 27001 and ISO 27701

Although the EDPB report is not directly based on ISO standards, the problem areas it identifies largely overlap with the data governance approach reflected in ISO 27001 and ISO 27701.

From the perspective of ISO 27001, erasure processes are directly related to:

• Information asset management,
• Access control,
• Information deletion and destruction,
• Back-up management.

ISO 27701, on the other hand, requires the effective implementation of data subject rights in personal data processing activities.

Accordingly, a mature data protection program is expected to include at least the following elements:

• A data category-based retention period matrix,
• An erasure request workflow,
• A back-up restore re-erasure procedure,
• Erasure logs,
• Records of exception assessments.

The EDPB's 2025 CEF Report clearly demonstrates that the right to erasure cannot be treated merely as a technical response to an individual request. On the contrary, it constitutes a multi-layered area of compliance directly linked to the controller's retention policy, data lifecycle management, system architecture, back-up infrastructure, internal control mechanisms, and accountability obligations. The findings of the report show that issues such as the lack of written procedures, uncertainty regarding retention periods, misapplication of erasure exceptions, the inability to manage erasure in back-up systems, and the confusion between account closure and erasure continue to prevent organizations from approaching the right to erasure as a holistic data governance matter.

This situation is not unfamiliar from the perspective of Turkish law. The core conclusion reached by both systems is the same: personal data may not be retained indefinitely in active systems, archival environments, or back-up infrastructures once the legal basis for processing ceases to exist. Therefore, the real challenge for controllers is not merely responding to incoming requests, but establishing a sustainable compliance architecture that predetermines why data is processed, how long it is retained, where it is stored, under what conditions it will be erased, and how restoration or reuse risks will be managed.

In this context, an effective erasure regime under both the GDPR and the KVKK is only possible through clear retention periods, category-based data inventories, written and tested procedures, technical controls covering back-up and restoration scenarios, access restrictions, logging, and demonstrable processing records. The information security and privacy governance approach reflected in ISO 27001 and ISO 27701 further supports this need.

Ultimately, the right to erasure is no longer merely a legal obligation; it is a strategic governance issue situated at the intersection of corporate risk management, information security, data architecture, and regulatory compliance. In this respect, the EDPB Report once again underscores the need to maintain a living and sustainable data protection system.

You may access the relevant EDPB report here.

You may access the national reports here.