Data Deletion (Right to Erasure) Template

Only if the data is truly anonymized. You can aggregate the user's data into statistics (e.g., "100 users performed action X") as long as the individual contribution cannot be extracted. Pseudonymized data where you still hold the lookup key does not qualify. See the [data anonymization template](/templates/data-anonymization-template) for proper techniques.

The data controller is typically the B2B customer (the company), not the individual end user. Deletion requests from end users should be routed to their company's admin, who decides based on their own data processing agreements. Your product should provide admins with deletion tools. When a company terminates their contract, delete all data for that tenant.

You must notify your sub-processors and request deletion per your Data Processing Agreement (DPA). Track the request and log their confirmation. If a third party refuses or cannot delete, document the reason and escalate to legal. You remain responsible for ensuring deletion across the entire processing chain.

Retain audit records for at least 3-5 years, or longer if required by your industry's regulations. The audit trail should not contain the personal data itself, only the fact that deletion was requested and executed, with timestamps and system references.

If a model has memorized specific user data (possible with small training sets), you may need to retrain the model without that user's data. For models trained on large datasets with differential privacy, individual data points are not extractable, and retraining is typically not required. Document your assessment either way.