EU VASP: Erasure Requests

(Step-by-Step)

Goal: honour a customer’s GDPR erasure request while lawfully retaining the records required under AMLR, MiCA and the Travel Rule.

1) Intake & clock starts

• Log the request (ticket ID, requester, date/time, scope, channel).
• Verify identity to a reasonable level (match KYC information on file).
• Start the GDPR clock: respond within 1 month (extensions must be explained).

2) Freeze changes (but keep service running if needed)

• Place a processing hold so data isn’t recreated during the request.
• Pause marketing and profiling immediately.

3) Map what you hold (by system)

Create a quick list per system/vendor:

• Core account (profile, preferences, avatars).
• KYC/AML files (ID, proof of address, risk/EDD, CDD notes).
• Transactions & order flow (orders, crypto transfers, order books).
• Travel Rule data (originator/beneficiary information).
• Support & communications (tickets, chat, call logs).
• Analytics/marketing (events, cookies, CRM lists).
• Backups & archives (note locations; see step 8).

4) Decide what must be retained (restrict access; don’t delete)