Skip to main content
All articles
Compliance
7 min read

GDPR's Right to Erasure Applies to Metadata -- Is Your Workflow Ready?

Article 17 of GDPR requires erasure of personal data on request. If personal data lives in document metadata, those fields must be erased too.

The right to erasure is not limited to databases

Article 17 of the General Data Protection Regulation grants data subjects the right to request erasure of their personal data. Most organizations implement this by deleting records from databases, removing entries from CRM systems, and purging email archives.

But personal data does not live exclusively in databases. It lives in document metadata — author names, email addresses, GPS coordinates, revision history entries, and comment author fields embedded in PDFs, Word documents, Excel spreadsheets, PowerPoint presentations, and images stored across file servers, cloud storage, email archives, and content management systems.

If a data subject requests erasure and their personal data exists in the metadata of documents your organization holds, Article 17 applies to those metadata fields. Deleting the database record while leaving the person's name in the Author field of 200 Word documents across your SharePoint environment does not constitute complete erasure.

What personal data appears in metadata

Document metadata routinely contains data that qualifies as personal data under GDPR's broad definition (Article 4(1): "any information relating to an identified or identifiable natural person").

Directly identifying metadata

  • Author and Last Modified By — the full name of the person who created or edited the document
  • Email addresses — sometimes stored in document properties, comments, or revision tracking
  • Usernames — Windows or macOS usernames that may correspond to real names
  • Comment author names — every comment in a Word, Excel, or PowerPoint file stores the author's name

Indirectly identifying metadata

  • GPS coordinates — EXIF data in photographs that reveals a person's location at a specific time
  • Device identifiers — camera serial numbers, smartphone UDIDs, or printer tracking dots that can be linked to a specific individual
  • IP addresses — sometimes logged in document collaboration metadata
  • Revision timestamps — combined with author names, these create a detailed record of an individual's work activity

The challenge of finding metadata in archived documents

The fundamental challenge of metadata erasure is discovery. Personal data in a database is structured, indexed, and queryable. Personal data in document metadata is unstructured, distributed across thousands of files, and stored in format-specific locations within each file type.

Where metadata hides in an organization

  • File servers — legacy documents accumulated over years, often with no systematic organization
  • SharePoint and OneDrive — cloud-stored documents with metadata in both the file and the platform's own metadata layer
  • Email archives — attachments in sent and received emails, each carrying their own metadata
  • Content management systems — documents stored with CMS metadata layered on top of the file's native metadata
  • Backup systems — archived copies of documents that may contain metadata already erased from the live versions
  • Local machines — copies of documents on employee laptops and desktops

The scale problem

An organization processing an Article 17 erasure request for a former employee must search all of these locations for documents where the employee's name appears in metadata fields. For a long-tenured employee who created and edited thousands of documents, the scope is enormous.

Manual inspection is not feasible at this scale. Searching filenames is insufficient because the personal data is inside the files, not in their names. Even full-text search tools typically do not index document metadata fields.

DPA enforcement and expectations

Data protection authorities across the EU have taken enforcement actions related to incomplete erasure. While most publicized cases involve database records rather than document metadata specifically, the legal principle is clear: Article 17 applies to personal data regardless of where it is stored.

The European Data Protection Board's guidelines on the right to erasure emphasize that controllers must take "reasonable steps" to identify and erase personal data across all processing systems. A documented inability to search document metadata is not a defense — it is an indication that the organization lacks adequate data processing inventory and controls.

Practical enforcement risk

The most likely enforcement scenario involving document metadata is not a DPA proactively auditing your files. It is a data subject who:

  1. Submits an erasure request
  2. Receives confirmation that their data has been erased
  3. Later discovers their name in the metadata of a document your organization shared externally
  4. Files a complaint with the relevant DPA

At that point, the organization must demonstrate that it took reasonable steps to identify and erase all instances of the data subject's personal data — including metadata.

What a compliant erasure workflow looks like

Step 1: Data mapping that includes metadata

Your Record of Processing Activities (Article 30) should include document metadata as a category of personal data processing. Map where documents are created, stored, shared, and archived, and identify which metadata fields contain personal data.

Step 2: Metadata-aware search capability

When processing an erasure request, you need the ability to search document metadata across your file storage systems. This requires tools that can:

  • Open each supported file format (PDF, DOCX, XLSX, PPTX, JPEG, PNG, etc.)
  • Extract metadata fields (author, last modified by, comments, revision history, EXIF data)
  • Match the data subject's identifying information against extracted metadata
  • Report which files contain matches and in which fields

Step 3: Targeted metadata erasure

For each file identified as containing the data subject's personal data in metadata, you need to either:

  • Remove the specific metadata fields containing the personal data while preserving the document's content and non-personal metadata
  • Delete the file entirely if the document is no longer needed and deletion is appropriate
  • Document a lawful basis for retention if the document must be kept and the metadata cannot be removed (e.g., legal hold, regulatory retention requirement)

Step 4: Verification

After metadata erasure, re-scan the affected files to confirm that the personal data has been successfully removed. This verification step is essential because metadata removal can fail silently — the tool reports success, but the data persists in an unexpected location within the file structure.

Step 5: Documentation

Document the erasure process: which systems were searched, how many files were found, what actions were taken, and the verification results. This documentation is your evidence of compliance if the erasure is later questioned.

Exemptions and practical limits

Article 17 includes exemptions. Erasure is not required when processing is necessary for:

  • Exercising the right of freedom of expression and information
  • Compliance with a legal obligation
  • Public health purposes
  • Archiving in the public interest, scientific or historical research, or statistical purposes
  • Establishment, exercise, or defense of legal claims

For document metadata specifically, the most relevant exemption is legal obligation. If regulatory requirements mandate retaining documents with their original metadata (e.g., financial records under MiFID II or SOX), the organization has a lawful basis for not erasing the metadata — but must document this basis and inform the data subject.

Backup systems

Backup copies of documents present a particular challenge. When you erase metadata from live documents, the pre-erasure versions may still exist in backups. The EDPB guidance acknowledges that erasing data from backup systems may be technically difficult and that organizations may defer backup erasure until the next backup cycle or until the backup is restored.

However, the organization must ensure that if a backup containing the unerased metadata is restored, the erasure is re-applied. This requires maintaining a log of erasure requests and checking restored data against that log.

Purgit scans documents for personal data in metadata fields — author names, email addresses, GPS coordinates, comment authors, and revision history. For organizations processing GDPR erasure requests, Purgit identifies where personal data lives in document metadata across supported file formats.

[Scan a File Free]

Scan before you share.

Try Purgit free — no account required.

Scan a File Free