Rock the OneTrust Certified Privacy Pro Exam 2025 – Privacy Pros, Prepare to Shine!

The appropriate action for a data controller upon receiving a data erasure request is to erase the data unless there is a legitimate reason to retain it. This practice is grounded in privacy regulations like the General Data Protection Regulation (GDPR), which grants individuals the right to request the deletion of their personal data under certain circumstances.

When a data controller receives such a request, they must first assess whether the data in question falls under the criteria for erasure. This includes evaluating whether the personal data is no longer necessary for the purposes for which it was collected, if the individual has withdrawn their consent on which the processing is based, or if the data has been unlawfully processed.

If a legitimate reason exists—such as compliance with a legal obligation to retain the data or the need to establish, exercise, or defend legal claims—then the data controller has the right to retain the data. Thus, the focus is on addressing the request appropriately by evaluating its validity and ensuring compliance with relevant legal obligations while respecting the rights of individuals.