# GDPR deletion requests

To comply with the terms of the [General Data Protection Regulation (GDPR)](https://gdpr-info.eu/), Solaris must delete customer data when requested or otherwise legally required to do so. Your solution must follow specific guidelines regarding handling (and deleting) personal customer data. This guide describes how to handle GDPR deletion requests in your system.

## How to handle a GDPR deletion request

If you store any kind of customer data in your system, you must subscribe to the [`PERSON_DELETED` webhook](/api-reference/onboarding/webhooks/webhook-events/paths/person_deleted/post) to receive notifications whenever Solaris deletes a customer's data. If you also serve business customers, you must subscribe to the [`BUSINESS_DELETED` webhook](/api-reference/onboarding/webhooks/webhook-events/paths/business_deleted/post).

note
As soon as you receive a `PERSON_DELETED` or `BUSINESS_DELETED` notification, you must **immediately** delete all data related to the person or business named in the webhook payload.

Notifications on the `PERSON_DELETED` and `BUSINESS_DELETED` webhooks will contain the ID of the deleted person or business.

**Example payload:**


```json
{
    "id": "d57e8c6c42a94dff9c2db57c4a42cper"
}
```

note
Solaris is legally required to delete all records related to persons who did not become Solaris customers (i.e., did not establish a contractual relationship with Solaris) within **90 days** of collection. After this 90-day period passes, Solaris will send a `PERSON_DELETED` (or `BUSINESS_DELETED`) webhook notification, at which point you must **immediately** delete their data.