What Is the Right to Erasure in Salesforce?

When does the right to erasure apply?

Under GDPR Article 17, a data subject can request erasure when:

• The personal data is no longer necessary for the purpose for which it was collected
• The data subject withdraws consent (and there is no other legal basis for processing)
• The data subject objects to processing and there are no overriding legitimate grounds
• The personal data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Not all erasure requests must be honored.Article 17(3) lists exemptions including: compliance with a legal obligation, establishment or defense of legal claims, and archiving in the public interest. But when the request is valid, you have 30 days to complete it.

What right to erasure actually requires in Salesforce

Deleting a Contact record in Salesforce does not satisfy GDPR Article 17. The personal data associated with that contact also lives in:

• Activity records.Tasks and Events that reference the contact by name or contain personal data in notes
• Case records.Support cases with case descriptions, emails, and attachments containing personal data
• Related custom objects.Any custom object with a lookup relationship to the contact
• Field history tracking.Salesforce stores historical field values in audit tables; these contain the old values you changed
• Sandbox copies.Every full-copy sandbox refresh takes a snapshot of production; deleted production records survive in sandboxes until the next refresh

Complete erasure requires addressing all of these.not just the top-level record.

The 30-day window and what it means operationally

GDPR Article 12 requires that erasure requests be completed within one calendar month of receipt (with a possible 2-month extension for complex cases, with notice given within the first month). This deadline applies from the moment the request is received.not from when you verify it, not from when you get around to it.

For organizations receiving more than a handful of erasure requests per month, manual tracking of 30-day windows is a compliance risk. Each missed deadline is a potential Article 83 violation. Automated DSAR tracking with deadline monitoring eliminates this risk.

Legal hold conflicts: when erasure must be refused

Some Salesforce records cannot be deleted.even if a valid erasure request is received.because another legal obligation requires retention:

• A FINRA-regulated broker-dealer must retain customer records for 6 years (Rule 4511)
• A healthcare organization must retain PHI for HIPAA's minimum 6-year period
• A company in active litigation must retain relevant records under a legal hold

In these cases, the erasure request must be refused.but the refusal must be documented, communicated to the data subject within 30 days, and accompanied by the legal basis for refusal. A manual process for handling these conflicts is fragile. Automated systems detect the conflict, route for review, and generate the documentation.

Sandbox erasure: the gap most organizations miss

When you complete an erasure request in production.deleting or anonymizing the contact and related records.you've addressed production. But the same person's data exists in every sandbox copy that was refreshed before the erasure.

If you refreshed your full-copy sandbox 3 months ago, the deleted contact's data is still there. GDPR does not draw a distinction between production and non-production environments.personal data is personal data regardless of the system it's in.

DataMasker closes this gap: when a sandbox is refreshed after the production erasure, the masking rules apply to the current production state.the deleted contact is absent from the sandbox.