Article 17 says the controller must demonstrate erasure. The procedural answer was always weak. The cryptographic answer closes the question.
The right-to-erasure request used to be operational: receive the request, run the deletion across the systems where the data lived, log the deletion, return confirmation. The DPA was satisfied with the procedural evidence.
The supervisory authorities started asking harder questions. What about the backup tapes? What about the offline archives? What about the system that snapshotted the database 3 months ago? The procedural answer started running into structural gaps. The "we believe it's gone" defence stopped being durable.
The architectural answer is to make the data unreadable by destroying the encryption key. The encrypted bytes can persist in any backup, in any archive, in any snapshot — and remain mathematically unrecoverable. The DPA's question becomes verifiable rather than presumptive.
Talk to the privacy compliance team · Read the crypto-shred pillar · See the RBAC + Backup capability
What Article 17 actually requires.
The right to erasure (right to be forgotten) under GDPR Article 17 has 6 grounds for invocation. The architectural requirements are common across them.
| Ground for erasure | What it means in practice |
|---|---|
| No longer necessary | The personal data is no longer needed for the original purpose |
| Withdrawn consent | The data subject withdrew the consent the processing relied on |
| Objection to processing | Article 21 objection that overrides legitimate interest |
| Unlawful processing | The processing was unlawful from the start |
| Compliance with legal obligation | EU or member-state law requires erasure |
| Child consent revocation | Personal data of a child collected under Article 8 |
The controller must comply "without undue delay" and must demonstrate compliance — not just intend it.
What "demonstrate erasure" actually requires.
The supervisory authorities have moved on the standard. The expected evidence:
| Evidence type | What it actually requires |
|---|---|
| Production-system erasure | Standard; well-trodden |
| Backup-tape erasure | Either restoration-with-deletion at next recovery, or cryptographic erasure |
| Offline-archive erasure | Same — procedural deletion is often impossible; cryptographic is the answer |
| Snapshot-system erasure | Same |
| Cross-jurisdiction erasure | Where data was processed across regions, the deletion has to extend |
| Third-party-processor erasure | Coordinated deletion across the data-processor chain |
| Verification by the data subject | The data subject can request verification |
| Verification by the supervisory authority | The DPA can request verification |
Most procedural deletion implementations cover the first one well, the next 4 poorly, and the verification questions essentially not at all.
How TeamSync covers each requirement.
| Requirement | TeamSync implementation |
|---|---|
| Production-system erasure | Native; per-document or per-data-subject |
| Backup-tape erasure | Cryptographic — the encryption key is destroyed; backups become unreadable |
| Offline-archive erasure | Same cryptographic mechanism; archives become unreadable |
| Snapshot-system erasure | Same — snapshot encryption keys destroyed |
| Cross-jurisdiction erasure | Per-region key destruction; per-region audit trail |
| Third-party-processor coordination | Sub-processor coordination workflow with audit anchoring |
| Verification | Cryptographic proof — DPA's tooling can verify the destruction |
| Audit trail | Native; every erasure event anchored to the audit chain |
The architectural mechanism.
The mechanism is the per-tenant envelope encryption that the platform uses by default. Each tenant's data — and within a tenant, each data-subject category — is encrypted with its own key. Erasure executes by destroying the key in a two-person ceremony.
| Stage | What happens |
|---|---|
| 1. Erasure request received | Workflow opens; the request scope is documented |
| 2. Scope validated | The data-subject's data scope identified across the platform |
| 3. Two-person ceremony | Key destruction requires 2 operators with separate authorities |
| 4. Key destruction | The data-encryption key is mathematically destroyed |
| 5. Audit anchor | The destruction event is anchored to the cryptographic chain |
| 6. Verification artifact | Generated artifact verifiable by the data subject and the DPA |
The encrypted data persists wherever it persists. It is unreadable. The proof is mathematical.
What changes for the privacy team.
| Activity | Before | With TeamSync |
|---|---|---|
| Right-to-erasure response | Procedural deletion + audit log | Cryptographic key destruction + verifiable proof |
| Backup-tape recovery risk | Real, persistent | Eliminated by key destruction |
| Cross-region erasure proof | Procedural | Cryptographic |
| DPA inquiry response | Procedural narrative | Mathematical proof |
| Sub-processor erasure coordination | Spreadsheet | Workflow with audit anchor |
| Annual erasure-program audit | Multi-week project | Generated artifact |
What composes onto the platform.
| Capability | Inside the Article 17 perimeter |
|---|---|
| RBAC + Backup | The crypto-shred mechanism |
| Intelligent Repository | The records platform the erasure operates on |
| Audit ledger | The chain that anchors the destruction event |
| Business Process Automation | The erasure workflow with the two-person ceremony |
| eDiscovery | The hold mechanism that respects active legal holds preventing erasure |
The composition matters because the erasure mechanism has to interact correctly with active holds (you cannot erase data subject to a litigation hold), with the audit chain (the destruction is itself an audit event), and with the workflow engine (the two-person ceremony is workflow-enforced).
How customers compare TeamSync for Article 17.
The Article 17 evaluation usually compares against:
- Microsoft Purview Customer Lockbox + Customer Key — strong inside M365; the cryptographic-proof argument is partial
- AWS KMS / Azure Key Vault with manual erasure workflows — strong on the key-management layer; the document-platform integration and the workflow are on you to build
- In-house envelope encryption — most flexible; the operational ceremony, the audit anchoring, the regulator-acceptance argument need to be built
For specific comparisons: - TeamSync vs SharePoint + M365
Read further.
- Why TeamSync — crypto-shred — the architectural pillar
- RBAC + Backup capability — the underlying capability
- HIPAA overlay — the related US PHI right-to-erasure pattern
- Chief Compliance Officer page — the executive conversation