Right to Erasure

As a cloud hosting provider, according to article 28 GDPR, Processor, you should act as a Data Processor. In this case, the data subjects who have personal data on your servers on behalf of your customers must exercise their right to delete to the data controllers, (your customers), per Art 17 (Right to erasure) para 1: "The data subject shall have the right to obtain from the controller the erasure of personal data". You, as a Data Processor, if you receive a deletion request from a data subject, you should either forward the request to the right customer or inform the data subject that they should exercise their right towards the respective data controller. 

However, if one of your business customers request you to delete the personal data they are accountable for, you should comply with this request, because they act as a data controller, per Art 28 para 3 (e): "taking into account the nature of the processing, assists the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights". Regarding data from the backups, that data is deleted anyway after a while.  

We are preparing a Live Virtual Training around How to handle a Data Subject Request according to GDPR, stay tuned for the announcements!

Please explore the following links to find more details:

• Art 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
• Art 17 GDPR – Right to delete: https://advisera.com/eugdpracademy/gdpr/right-to-erasure-right-to-be-forgotten/
• Right to be forgotten in the era when everyone seems willing to be remembered: https://advisera.com/eugdpracademy/blog/2019/08/26/gdpr-right-to-be-forgotten-an-easy-explanation/
• Data subject rights according to GDPR: https://advisera.com/eugdpracademy/knowledgebase/8-data-subject-rights-according-to-gdpr/