(Internal Use – Freshdesk Knowledge Base)

This article describes how our internal teams must process a customer’s request to delete all their personal data across our entire Information System (IS).
Freshdesk is the central place where the request is received, tracked, validated, executed, and archived.

 TABLE OF CONTENTS

• 1. Purpose
• 2. Where Customers Can Request Deletion
• 3. How to Log the Request in Freshdesk
• 4. Identity Verification
• 5. DPO Validation
• 6. Execution of Deletion Across All Systems
• 7. Internal Control Checklist
• 8. Documentation and Proof (Stored in Freshdesk Ticket)
• 9. Customer Notification
• 10. Retention of the Deletion Record
  
  

1. Purpose

• Ensure GDPR Art. 17 compliance (Right to Erasure)

• Provide transparency and traceability

• Centralize all actions in a Freshdesk ticket

• Cover deletion actions across all systems, not only Freshdesk

2. Where Customers Can Request Deletion

Customers may send a deletion request through:

• Email to Support

• Email to the DPO

• Web contact form

• A Freshdesk ticket created by the customer

• Contractual request provided in writing

All requests must be recorded in Freshdesk as a ticket.

3. How to Log the Request in Freshdesk

1. Create or open the corresponding ticket.

2. Add the tag: DSR-Erasure.

3. Attach the original request (email, form, PDF).

4. Add an Internal Note with the date/time the request was received.

5. Send an acknowledgment to the customer (reply template available).

6. SLA: Start the 30-day legal window (10 business days internal target).

4. Identity Verification

Before continuing, verify the requester’s identity:

Accepted methods:

• Email matches the customer’s account

• Provide known customer details (ID, reference number)

If identity cannot be confirmed → escalate to DPO.
Add an Internal Note documenting the verification steps.

5. DPO Validation

Support must forward the request to the DPO for approval.

The DPO must:

• Validate or reject the request

• Identify which systems store the customer’s data

• Document the decision in the Freshdesk ticket (Internal Note)

Only after DPO approval may support begin the deletion process.

6. Execution of Deletion Across All Systems

Support and Engineering must remove or anonymize personal data in all systems, including:

✔ Freshdesk

• Delete the contact

• Delete or anonymize tickets

• Remove the email from automations/integrations

✔ CRM / Customer Database

• Delete the profile

• Remove associated metadata

• Anonymize historical entries if required

✔ Application Databases

• Search all PII fields

• Delete or anonymize customer data

• Execute database scripts as needed

✔ Logs & Monitoring

• Delete or anonymize PII in logs

• If deletion impossible: document legal basis for retention

✔ Backups

• No immediate modification (immutability)

• Document that data will disappear via standard rotation

✔ Third-Party Services

Examples: payment provider, email provider, analytics, cloud storage

• Delete customer data

• Attach provider confirmation to the Freshdesk ticket

7. Internal Control Checklist

Before closure, verify that:

• All systems listed by the DPO have been processed

• No remaining personal data exists (search by email, name, ID)

• Third-party confirmations received

• Screenshots attached

• Logs or script outputs attached

A second person (Lead or DPO) must confirm completion.

Add an Internal Note: “DSR – Internal Control Completed”.

8. Documentation and Proof (Stored in Freshdesk Ticket)

Attach or document the following:

• Original customer instruction

• Identity verification

• DPO approval

• List of all systems processed

• Actions performed for each system

• Screenshots of deletions/anonymizations

• Script outputs / logs

• Third-party confirmations

• Final verification results

• Date of completion

• Name of executor

Add the final tag: DSR-Complete.

9. Customer Notification

Once all systems are processed, send the official confirmation:

Subject: Your Personal Data Deletion Request – Completed
We confirm that your personal data has been deleted or anonymized across our systems according to GDPR and ISO 27701 requirements.
Feel free to contact our DPO for any further questions.

Use the Freshdesk reply template or macro if available.

10. Retention of the Deletion Record

• The Freshdesk ticket serves as the official audit log

• Retained 3 years for ISO 27701 compliance

• Must not contain personal data after deletion (only operational evidence)