# GDPR deletion requests

To comply with the terms of the [General Data Protection Regulation
(GDPR)](https://gdpr-info.eu/), Solaris must delete customer data when
requested or otherwise legally required to do so. Your solution must follow
specific guidelines with regard to handling (and deleting) personal data from
customers. This page describes how to handle GDPR deletion requests in your
system.

## How to handle a GDPR deletion request

If you store any kind of data from customers in your system, then you must
subscribe to the [PERSON_DELETED
webhook](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/person_deleted/post) so that
you can receive notifications whenever Solaris deletes a customer's data. If you
also serve business customers, then you must also subscribe to the
[BUSINESS_DELETED
webhook](/api-reference/onboarding/webhooks/#tag/Webhook-events/paths/business_deleted/post).

note
As soon as you receive a `PERSON_DELETED` or `BUSINESS_DELETED` notification,
you must **immediately** delete all data related to the person or business named
in the webhook payload.

Notifications on the `PERSON_DELETED` and `BUSINESS_DELETED` webhooks will
contain the ID of the deleted person or business.

**Example payload:**


```json
{
    "id": "d57e8c6c42a94dff9c2db57c4a42cper"
}
```

note
Solaris is legally required to delete all records related to persons who did
not become Solaris customers (i.e., did not establish a contractual
relationship with Solaris) within **90 days** of collection. After this 90
day period has passed, Solaris will send a `PERSON_DELETED` (or
`BUSINESS_DELETED`) webhook notification, at which point you must
**immediately** delete their data.