Most organizations understand the basics of GDPR's right to erasure: when a data subject requests deletion, you delete their data. Simple enough when the data lives in your own systems. But what happens when the data also lives in your vendor's systems — and you've already ended the relationship with that vendor?
This is the scenario that catches compliance teams off guard, and it's happening more frequently as companies cycle through SaaS vendors, switch providers, and consolidate their tech stacks.
What Article 17 actually requires
Article 17 grants data subjects the right to have their personal data erased “without undue delay” when certain conditions are met — when the data is no longer necessary for its original purpose, when consent is withdrawn, or when there's no overriding legal basis for retention.
But the obligation doesn't stop at your own systems. Article 17(2) extends the requirement to any controllers or processors you've shared that data with. The exact language is important: if you've made the personal data public or shared it with other controllers, you must take “reasonable steps” to inform those parties that the data subject has requested erasure.
For practical purposes, this means that when a customer exercises their right to erasure, your obligation extends to every vendor that ever processed that customer's data — including vendors you no longer work with.
The right to erasure does not expire when a vendor contract does. Your obligations follow the data for as long as it exists.
The former vendor problem
Here's where it gets complicated. When a vendor relationship is active, you have leverage. You have a Data Processing Agreement. You have a contractual relationship. You can send a deletion request and follow up through normal business channels.
When the relationship has ended, your leverage is significantly reduced. The DPA may have expired. Your primary contact at the vendor may have moved on. The vendor may have been acquired, may have changed their data practices, or may simply deprioritize requests from former customers.
This creates a real operational gap: the regulation doesn't distinguish between current and former processors. Your obligation to facilitate erasure requests extends to vendors you offboarded six months ago, a year ago, or longer — as long as they might still hold personal data.
Three scenarios that create exposure
Scenario 1: You offboarded the vendor but never confirmed deletion. This is the most common scenario. The contract ended, you stopped using the service, but you never formally requested — or verified — that the vendor deleted all personal data. Now a data subject submits an erasure request, and you can't confirm whether the former vendor still holds their data.
Scenario 2: The vendor confirmed deletion, but not completely. The vendor sent an email saying they deleted your data, but they didn't address backups, analytics databases, or derived datasets. Or they deleted production data but retained records in their logging infrastructure. Under Article 17, “erasure” means erasure — not just removing data from the primary application.
Scenario 3: The vendor shared data with sub-processors. Your vendor used a sub-processor (a cloud provider, an analytics tool, a support platform) that also processed personal data on your behalf. When you offboarded the vendor, neither you nor the vendor ensured the sub-processor deleted the data. Article 28 requires your vendor's DPA to address sub-processor obligations, but whether those obligations were actually fulfilled during offboarding is another question entirely.
What “reasonable steps” means in practice
The GDPR's “reasonable steps” language in Article 17(2) gives organizations some flexibility, but regulators and data protection authorities have been progressively defining what “reasonable” means.
At a minimum, reasonable steps for former vendor relationships include:
Maintaining a record of what data was shared. You need to know which vendors processed which categories of personal data. If you can't answer the question “which of our former vendors had access to this customer's PII,” you can't fulfill an erasure request. This is a data mapping exercise that ideally happens during the vendor relationship, not after it ends.
Issuing formal deletion requests at offboarding. When a vendor relationship ends, the deletion request should be specific: which data categories, which systems, which sub-processors, and by what deadline. A generic email asking the vendor to “delete our data” is insufficient.
Obtaining deletion certifications. A confirmation email isn't a certification. A deletion certificate should specify what was deleted, from which systems, on what date, and whether any data was retained under a legal exception.
Having a process for post-offboarding erasure requests. If a data subject requests erasure after you've already offboarded a vendor, you need a way to contact the former vendor and request deletion of that specific individual's data.
The documentation standard
EU data protection authorities have been increasingly specific about documentation expectations. Under GDPR's accountability principle (Article 5(2)), you must be able to demonstrate compliance — not just claim it.
For vendor data offboarding, this means maintaining a complete record of what personal data each vendor processed, the formal deletion request sent at offboarding, the vendor's response and deletion certification, a timeline showing reasonable completion, and any exceptions with documented legal basis.
If an erasure request arrives after offboarding, you need to be able to produce this documentation quickly. “We sent an email and got a reply” isn't sufficient. Structured, timestamped, auditable documentation is the standard that DPAs are moving toward.
How Fimi solves this
Every requirement above — data inventory, structured deletion requests, certification tracking, post-offboarding contact management, and audit-ready documentation — is exactly what Fimi was built to handle.
Automated data inventory at offboarding. When a vendor relationship is flagged for termination, Fimi parses your DPA and vendor agreements to extract the data categories, processing purposes, and sub-processor relationships. Instead of manually reconstructing what data the vendor had access to, you start with a structured inventory derived from your own contracts.
Structured deletion requests with tracking. Fimi generates specific, scoped deletion requests that reference the data inventory — not generic emails. Each request specifies data categories, system scope (production, backups, analytics, sub-processors), deadlines, and the deletion certification format you require. Every request is tracked with automated follow-ups when deadlines approach.
Deletion certification management. When the vendor responds, Fimi captures the certification and validates it against the original request. Did the vendor address all data categories? Did they cover sub-processors? Did they note any retention exceptions? Gaps are flagged automatically so you can follow up before the offboarding is marked complete.
Former vendor registry. Fimi maintains a structured record of every offboarded vendor — including contact information, the data they processed, and the deletion certifications on file. When a data subject files an erasure request months later, you can instantly identify which former vendors may have processed their data and whether deletion was already confirmed.
Audit-ready evidence packages. Every offboarding produces a complete, timestamped evidence package: data inventory, deletion request, vendor correspondence, deletion certification, access revocation confirmation, and a full timeline. When a DPA or auditor asks how you handle Article 17 for former vendors, you hand them the package.
The regulatory trajectory
GDPR enforcement is maturing, and vendor data management is squarely in the crosshairs. The European Data Protection Board's guidelines on data transfers, processor obligations, and accountability all point toward stricter expectations around the full data lifecycle — including what happens after a vendor relationship ends.
Organizations that treat vendor offboarding as a checkbox exercise — or worse, ignore it entirely — are accumulating risk that compounds with every vendor relationship that ends without proper data governance.
The right to erasure doesn't expire when a vendor contract does. Your obligations follow the data, wherever it lives, for as long as it exists. Fimi gives you the infrastructure to meet that standard from day one.