Does a company have to confirm the deletion of my personal data?

You have requested a company to delete your personal data in accordance with the General Data Protection Regulation (GDPR), but after that it remains deafeningly silent. Even if the company has effectively deleted your data, not responding to your request is a violation. A company is required by law to inform you within one month of the action it has taken in response to your request.

A decision of the Belgian Data Protection Authority (DPA) of 2 July 2025 (No. 114/2025) underscores this crucial communication duty.

The facts: a request for erasure without response

The case that came before the DPA was simple but very recognizable. A citizen received marketing emails from a company and decided to exercise his rights under the AVG. On 22 November 2024, he submitted a formal request to the company to delete all his personal data and remove him from all mailing lists.

When there was no response, the man filed a complaint with the Data Protection Authority on 27 December 2024.

In its defense, the company argued that it had indeed deleted the data, in accordance with the request. The reason the applicant was never informed of this was due to "human error," according to the company.

The decision: erasing is not enough, informing is a duty

The DPA's Dispute Chamber ruled that despite having deleted the data, the company had still violated the GDPR.

The crux of the decision lies in Article 12.3 of the GDPR. This article states that a data controller (the company) is obliged to provide the data subject (the citizen) with information on the action taken on the request "without delay and, in any event, within one month of receipt of the request."

The company had deleted the data, but had failed to notify the applicant of this within the legal deadline. The DPA ruled that this constituted a clear violation of the GDPR and imposed a formal warning on the company.

Legal analysis and interpretation

This decision is an important reminder of the principle of the accountability from Article 5.2 of the GDPR. Not only must an organization comply with the rules of the GDPR, but it must also be able to prove its compliance. The communication obligation from Article 12 is an essential part of that burden of proof.

The ratio decidendi of the DPA is clear: the exercise of the data subject's rights (such as the right to data erasure from Article 17 GDPR) generates an active information obligation for the controller. It is a twofold obligation: (1) perform the action (erase, correct, give access) and (2) inform the data subject about it. The "human error" argument is not accepted by the DPA as a valid justification. Indeed, within the GDPR, the data controller is obliged to implement the necessary technical and organizational measures to ensure proper compliance. An isolated error often indicates a structural flaw in the internal procedures.

What this specifically means

• For you as a consumer or citizen: Your GDPR rights do not end with the submission of a request. You have the right to receive a clear and substantive response within one month. A simple acknowledgement of receipt is not sufficient. If you do not receive a response, you can, like the complainant in this case, file a complaint with the Data Protection Authority.
• For companies (data controllers): It is crucial to have robust internal procedures for following up on data subject requests. Ensure not only proper substantive handling (e.g., effective deletion of data), but also a conclusive communication and follow-up system. A request may only be considered "dealt with" after the data subject has been correctly and timely informed. Ignoring this communication obligation can lead to sanctions ranging from a warning to a fine.

Frequently asked questions (FAQ)

1. What is the deadline for a company to respond to my data erasure request?
In principle, a company must respond within one month of receiving your request. This deadline can be extended by two months in complex cases, but the company must inform you of this extension and the reasons for it within the first month.

2. Is an automatic receipt a valid response?
No. The Dispute Chamber explicitly emphasizes in its decision that an acknowledgment of receipt cannot be considered a substantive response to a request. You should receive an acknowledgement of the action taken.

3. Where were the complainant's data originally collected?
In this particular case, the company indicated that it collected the complainant's data through the Crossroads Bank for Enterprises (CBE)..

Conclusion

The duty to act and the duty to inform are two sides of the same coin under the GDPR. A company that executes your data erasure request but does not inform you about it is violating the law. This ruling by the DPA confirms that transparent and timely communication is not an afterthought, but a fundamental obligation.