GDPR Article 17 - Right to Erasure#
This documentation applies to Piler enterprise edition 2.1.0+
Publication date: 2025-DEC-26
Overview#
Piler Enterprise provides a complete workflow for handling GDPR Article 17 "Right to Erasure" (also known as "Right to be Forgotten") requests. This feature enables Data Protection Officers (DPOs) and auditors to:
- Create erasure requests for data subjects by email address
- Assess the scope of affected emails
- Check for legal holds that may block deletion
- Approve or reject requests with full audit trail
- Execute deletion with complete erasure
- Generate deletion certificates as proof of compliance
Key Concepts#
Delete-All Approach#
Piler Enterprise uses a full deletion approach rather than redaction for GDPR compliance. When a data subject requests erasure:
- All emails where the data subject appears as sender OR recipient are permanently deleted
- This includes multi-party emails, which are deleted for all parties, not just the data subject
- The archived message files (.m files) are scheduled for purging
Why delete instead of redact?
- Archived message files contain original headers that cannot be modified without compromising archive integrity
- The "View Headers" feature would reveal original sender/recipient data even if metadata was redacted
- The "Restore to Mailbox" feature would deliver the original unredacted message
- True GDPR Article 17 compliance requires complete erasure of personal data
Legal Hold Integration#
The GDPR erasure workflow integrates with the Legal Hold system:
- If any affected emails are under an active legal hold, the erasure request is blocked
- The system checks both user-level holds (specific email addresses) and domain-level holds
- Blocked requests show the specific legal hold(s) preventing deletion
- Article 17(3) GDPR explicitly allows retention where required for legal proceedings
Request Lifecycle#
Each GDPR erasure request progresses through these statuses:
| Status | Description |
|---|---|
pending |
Request created, awaiting assessment |
assessing |
System is analyzing scope of affected emails |
blocked |
Cannot proceed due to active legal hold |
pending_approval |
Assessment complete, awaiting DPO/auditor approval |
approved |
Approved for execution |
executing |
Deletion in progress |
completed |
Deletion finished, certificate available |
rejected |
Request rejected with documented reason |
Using the GDPR Erasure Feature#
Accessing the Feature#
- Log in as an administrator with auditor permissions
- Navigate to Compliance > GDPR Requests in the admin menu
- The dashboard shows an overview of all requests by status
Creating an Erasure Request#
- Click New Erasure Request
- Enter the Data Subject Name (optional but recommended for documentation)
- Add one or more Email Addresses associated with the data subject
- Click "Add" after entering each email address
- The data subject may have multiple email addresses (e.g., work and personal)
- Review the warning about deletion scope
- Click Create Request
The system will automatically begin scope assessment after creation.
Understanding the Scope Assessment#
The assessment phase counts:
- Emails as Sender: Messages where the data subject sent the email
- Emails as Recipient: Messages where the data subject received the email
- Attachments: Files associated with affected emails
Important: The total count may include duplicates if the data subject sent emails to themselves or appears in both sender and recipient fields.
Reviewing and Approving Requests#
After assessment completes:
- Click View Details to review the full scope
- Verify the data subject's identity through your organization's verification process
- If approved, click Approve
- Review the warning about multi-party email deletion
- Confirm you have verified the data subject's identity
- If rejected, click Reject and provide a documented reason
Executing the Deletion#
After approval:
- Click Execute Deletion
- Review the final warning showing the number of emails to be deleted
- Confirm to proceed
The deletion process:
- Sets each email's retention date to today (scheduling for purge)
- Removes emails from the Manticore search index
- Removes emails from the semantic search embeddings (if enabled)
- Logs all actions to the audit trail
Note: The actual removal of archived message files from storage occurs when the purge daemon runs, according to your system's purge schedule.
Downloading the Deletion Certificate#
After execution completes:
- Click Certificate (HTML) for a viewable HTML certificate
- Click Certificate (PDF) for a PDF version (requires Gotenberg service)
The certificate includes:
- Request ID
- Data subject email address(es)
- Request and completion dates
- Number of emails deleted
- Approver information
- SHA-256 certificate hash for verification
Viewing the Audit Trail#
Click Audit Trail on any request to view:
- All actions taken on the request
- Who performed each action
- Timestamps and IP addresses
- Additional details for each action
Workflow Diagram#
┌─────────────────────────────────────────────────────────────────┐
│ Create Erasure Request │
│ - Enter data subject name (optional) │
│ - Add email address(es) │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Automatic Scope Assessment │
│ - Count emails where subject is sender │
│ - Count emails where subject is recipient │
│ - Count associated attachments │
│ - Check for blocking legal holds │
└─────────────────────────────────────────────────────────────────┘
│
┌─────────┴─────────┐
│ │
▼ ▼
┌───────────────────────┐ ┌───────────────────────┐
│ Legal Hold Found │ │ No Legal Hold │
│ Status: BLOCKED │ │ Status: PENDING │
│ │ │ APPROVAL │
│ Cannot proceed │ └───────────────────────┘
│ until hold lifted │ │
└───────────────────────┘ │
┌─────────────┴─────────────┐
│ │
▼ ▼
┌───────────────────────┐ ┌───────────────────────┐
│ Approve │ │ Reject │
│ - Verify identity │ │ - Document reason │
│ - Review scope │ │ Status: REJECTED │
│ Status: APPROVED │ └───────────────────────┘
└───────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Execute Deletion │
│ - Mark emails for purge (set retained date) │
│ - Remove from search index │
│ - Remove from semantic embeddings │
│ - Log all actions │
│ Status: EXECUTING → COMPLETED │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Generate Certificate │
│ - Request details │
│ - Deletion statistics │
│ - SHA-256 hash for verification │
│ - Available in HTML and PDF formats │
└─────────────────────────────────────────────────────────────────┘
API Reference#
The GDPR erasure feature is accessible via REST API for integration with external systems.
List Requests#
GET /api/v1/admin/gdpr/requests
Query parameters:
- status - Filter by status (optional)
- limit - Number of results (default: 50)
- offset - Pagination offset
Get Request Details#
GET /api/v1/admin/gdpr/requests/:request_id
Create Request#
POST /api/v1/admin/gdpr/requests
{
"email_addresses": ["john.doe@example.com", "j.doe@example.com"],
"requester_name": "John Doe"
}
Run Scope Assessment#
POST /api/v1/admin/gdpr/requests/:request_id/assess
Approve Request#
POST /api/v1/admin/gdpr/requests/:request_id/approve
Reject Request#
POST /api/v1/admin/gdpr/requests/:request_id/reject
{
"reason": "Identity could not be verified"
}
Execute Deletion#
POST /api/v1/admin/gdpr/requests/:request_id/execute
Get Certificate (HTML)#
GET /api/v1/admin/gdpr/requests/:request_id/certificate
Get Certificate (PDF)#
GET /api/v1/admin/gdpr/requests/:request_id/certificate/pdf
Get Audit Trail#
GET /api/v1/admin/gdpr/requests/:request_id/audit
Database Schema#
The GDPR erasure feature uses the following tables:
gdpr_requests#
Stores erasure request information and status.
| Column | Type | Description |
|---|---|---|
| id | BIGINT | Primary key |
| request_id | VARCHAR(50) | Human-readable ID (e.g., GDPR-2026-00001) |
| email_addresses | JSON | Array of data subject email addresses |
| requester_name | VARCHAR(255) | Data subject name |
| status | ENUM | Current request status |
| emails_as_sender | INT | Count from scope assessment |
| emails_as_recipient | INT | Count from scope assessment |
| attachments_count | INT | Count from scope assessment |
| blocked_by_legal_hold | BOOLEAN | Whether blocked by legal hold |
| legal_hold_ids | JSON | Array of blocking hold IDs |
| blocked_reason | TEXT | Explanation if blocked |
| created_by | VARCHAR(255) | User who created request |
| created_at | DATETIME | Creation timestamp |
| approved_by | VARCHAR(255) | User who approved/rejected |
| approved_at | DATETIME | Approval timestamp |
| rejection_reason | TEXT | Reason if rejected |
| executed_at | DATETIME | Execution timestamp |
| deleted_count | INT | Emails deleted |
| redacted_count | INT | Always 0 (delete-all approach) |
| certificate_hash | VARCHAR(64) | SHA-256 hash of certificate |
gdpr_request_audit#
Stores the audit trail for each request.
| Column | Type | Description |
|---|---|---|
| id | BIGINT | Primary key |
| request_id | VARCHAR(50) | Reference to gdpr_requests |
| action | VARCHAR(50) | Action performed |
| performed_by | VARCHAR(255) | User who performed action |
| performed_at | DATETIME | Timestamp |
| details | JSON | Additional context |
| ip_address | VARCHAR(45) | Client IP address |
gdpr_request_sequence#
Generates sequential request IDs per year.
| Column | Type | Description |
|---|---|---|
| year_prefix | VARCHAR(4) | Year (e.g., "2026") |
| last_sequence | INT | Last used sequence number |
Best Practices#
Identity Verification#
Before approving any erasure request:
- Verify the requester's identity through your organization's established procedures
- Confirm the email addresses belong to the data subject
- Document the verification method used
Legal Hold Coordination#
- Review all active legal holds before creating erasure requests
- Coordinate with legal counsel if holds conflict with erasure obligations
- Document the legal basis for any retention that overrides erasure requests
Record Keeping#
- Download and securely store deletion certificates
- Maintain records of erasure requests for compliance documentation
- Export audit trails for long-term retention
Response Timelines#
Under GDPR, you must respond to erasure requests within:
- 30 days for standard requests
- Up to 90 days for complex requests (with notification to the data subject)
Plan your verification and approval workflows accordingly.
Limitations#
Multi-Party Emails#
When deleting emails involving multiple parties:
- The email is deleted for all parties, not just the data subject
- Other recipients lose access to that email
- Consider notifying affected users if appropriate for your organization
Backup Considerations#
- Emails in backups are not immediately deleted
- Upon backup restoration, purge rules will apply to restored data
- Consider your backup retention policy in relation to erasure obligations
Search Index Timing#
- Emails are immediately removed from Manticore search index
- The actual message files are removed when the purge daemon runs
- Users may briefly see search results that fail to display (until purge completes)
Troubleshooting#
Request Stuck in "Assessing"#
- Check database connectivity
- Review application logs for errors
- Manually trigger assessment via the API
Legal Hold Blocking Unexpectedly#
- Click "View Details" to see which holds are blocking
- Check both user-level and domain-level holds
- Verify the hold status (only "active" holds block)
Certificate PDF Generation Fails#
- Ensure Gotenberg service is running and accessible
- Check
GOTENBERG_URLconfiguration - HTML certificates remain available as fallback
Deletion Not Appearing Complete#
- Emails are marked for purge but files remain until purge daemon runs
- Check purge daemon schedule and logs
- Search index removal is immediate
Related Documentation#
- GDPR Compliance Overview - Legal and regulatory framework
- Legal Hold System - Managing litigation holds
- Audit Logging - Understanding audit trails
- Retention Policies - Configuring data retention