How long do I have to respond to a data deletion request?

GDPR sets a maximum of 30 calendar days from receiving the request. This can be extended by 60 days in complex cases, but you must inform the requester within the first 30 days.

What happens if I do not respond to a deletion request?

It is a serious GDPR infringement leading to complaints to data protection authorities and fines up to 20 million euros. It also damages company reputation.

How to Handle Data Deletion Requests

Q: Can I refuse to delete someone's data?

Only in exceptional cases: legal obligation, defending legal claims, or public interest. In B2B prospecting, these exceptions almost never apply.

Deadlines, process and best practices for GDPR right to erasure in B2B sales

Legal Compliance · Jan 2026 · 5 min read

Key takeaways

You have 30 calendar days to respond to a data deletion request under Art. 17 GDPR. Not responding is a serious infringement
The process is straightforward: verify identity, delete from all systems, confirm to requester and document everything
Working with MapiLeads and verified public data simplifies the process since every data point has traceable origin

Fundamentals

What is the right to erasure and when does it apply?

The right to erasure (Art. 17 GDPR), known as the "right to be forgotten", allows anyone to request deletion of their personal data. In B2B prospecting, if a contact asks you to delete their data, you must comply.

This right applies when data is no longer necessary, the data subject objects, or data was unlawfully processed. If someone in your database asks you to delete them, you must always comply.

A clear process turns this into a 5-minute task. Using verified public data makes traceability easy. The ICO provides a thorough guide on implementing data protection by design and by default, which is essential for building deletion-ready systems from the start.

30d

maximum deadline to respond to a data deletion request under GDPR

— Source: Regulation (EU) 2016/679, Art. 12.3

30d

maximum legal response deadline

48h

recommended internal processing time

+180%

increase in deletion requests since 2020

Method

5 steps to handle a deletion request

Verify requester identity

Confirm they are who they claim. An email from the address on file is usually sufficient.

Locate all data

CRM, spreadsheets, backups, email lists. Search every system where the contact may appear.

Delete from all systems

Remove the complete record. If your CRM has cleaning functions, this can be automated.

Confirm to the requester

Email confirmation stating what data you held and from which systems you removed it. Within 30 days.

Document everything

Record request, date, data deleted and confirmation. This is your compliance proof for any authority. Spain's LOPDGDD (Ley Organica 3/2018) complements the GDPR with additional Spanish-specific requirements on data subject rights.

Deletion requests are not a problem: they are an opportunity to demonstrate professionalism. 65% of contacts who receive swift confirmation improve their perception of the company. The AEPD has published a practical guide to help businesses comply with GDPR, including handling data subject requests efficiently.

Traceable data, easy to manage

With MapiLeads every data point has a verified, documented source. Simplifies GDPR request management.

Generate Database Free

No deletion process

Art. 17 GDPR breach
Complaints to authorities
Data remains in multiple systems
No compliance documentation

→

Documented process

Full compliance under 48h
Swift confirmation to contact
Deletion verified across all systems
Documentation ready for audit

Reference

Mandatory deadlines and actions (Art. 17)

Action	Legal deadline	Recommendation
Acknowledge receipt	No explicit deadline	24-48 hours
Verify identity	Within 30 days	1-3 days
Delete data	Within 30 days	1 week
Confirm deletion	30 days max	Immediately after
Document	Mandatory	Same day

A well-handled deletion request is trust earned, not a problem

In summary

You have 30 days to fulfil a deletion request: verify, delete from all systems, confirm and document
MapiLeads works with verified, traceable public data, making it easy to locate, delete and document every data point
A clear process turns requests into a 5-minute task that improves your company's perception

Traceable data, easy to manage and delete

Generate databases from verified public sources in 120+ countries. See plans or contact us.

Generate Database Free

Frequently asked questions

How long do I have to respond to a deletion request?

GDPR sets a maximum of 30 calendar days. Can be extended by 60 days in complex cases, but you must inform the requester within the first 30 days.

Can I refuse to delete data?

Only exceptionally: legal obligation, defending legal claims, or public interest. In B2B prospecting, these almost never apply.

What if I do not respond?

Serious GDPR infringement. Can lead to complaints and fines up to 20 million euros. Also damages company reputation.