What is the right to erasure?
Article 17 of the GDPR gives individuals the ‘right to erasure’, also known as the ‘right to be forgotten’ or ‘right to data deletion’. This right allows individuals to request that an organisation delete the personal data it holds on the individual.
When does the right to erasure apply?
You can request that your personal data be deleted if:
-
it is no longer necessary for the organisation to keep your data for its original purpose (eg if you were to cancel a food box subscription, the seller no longer needs to keep a record of your name, address, and food preferences etc)
-
the organisation relied on consent to lawfully process the data and you have now withdrawn your consent (eg you agreed to be sent a survey to fill in, but you later changed your mind)
-
you object to the use of your data and either:
-
your interests outweigh those of the organisation using it, or
-
your data was used for direct marketing and you object to this
-
-
the organisation has collected or used your data unlawfully (eg the organisation hasn’t complied with data protection rules)
-
the organisation has a legal obligation to delete your data
-
the data was collected from you when you were a child, for the use of an online service (eg if you registered for and used social media as a child). Special protection is awarded to children’s data, especially online, as children may be less aware of the risks and consequences of giving their data to organisations. This means that, even if you are an adult now, you can request that the data you provided to an organisation as a child is deleted
How do I make a data deletion request?
If you want an organisation to delete your personal data from its records, contact the organisation directly and set out which personal data you want deleted. While the deletion request can be made verbally or in writing, it is best to make requests in writing in order to have a written record. If you make a verbal request, follow up in writing. Organisations will usually outline this procedure within their Privacy policy and/or Terms and conditions documentation.
What should my data deletion request include?
When you make your request, you should generally explain your concern, give evidence, and state your desired solution. While there is no specific format that’s required for a deletion request, it should generally include:
-
your name, address, and any details to help the organisation identify you
-
a statement that you wish to exercise your right of erasure
-
details of the personal data you want to have deleted
-
a request for a response within a specified timeframe (usually one calendar month), which should confirm that they will comply with your request
Use our Data erasure request to request that an organisation deleted your personal data.
How should I send my deletion request?
Your data deletion request doesn’t need to be addressed to a specific person and you can generally send it to any part of the organisation that holds your data. However, you should make sure that your request has been received by asking for confirmation.
You can Ask a lawyer for assistance if you have any questions about making a data deletion request.
How will organisations handle requests made under the right to be forgotten?
After receiving a data deletion request, an organisation should delete your data, unless they refuse to do so because an exemption applies (see ‘Can organisations refuse my deletion request?’ for more information).
When you make a successful deletion request, an organisation should generally contact any third parties with which they shared your data to tell them about your data deletion request. This should be done unless doing so would be impossible or would involve a disproportionate effort. Organisations should also inform you if they have shared your data with anyone else.
If your personal data has been published online (eg on social media platforms and websites), the organisation that collected your data has to take reasonable steps to tell those responsible for these sites about your deletion request. They should tell them to erase your personal data.
Can organisations refuse my deletion request?
An organisation may be able to refuse (either entirely or partially) a data deletion request if an exemption applies, for example:
-
if it is necessary for the organisation to keep your data for reasons such as freedom of expression or freedom of information (eg for journalism, artistic, academic, or literary purposes)
-
if an organisation is legally obliged to keep your data (eg to comply with financial or other regulatory authorities’ requests or regulations)
-
if the organisation is carrying out a task that is performed for public interest reasons or to allow them to exercise their official authority
-
when the data is necessary for establishing, exercising, or defending a legal claim
-
when erasing the personal data would prejudice scientific or historical research or archiving that is in the public interest
-
if the data deletion request is ‘manifestly unfounded or excessive’ (eg the request was only made to harass or disrupt the organisation)
Additional exceptions apply (ie the right to erasure does not apply) to requests for deletion of special category personal data (eg personal data about someone’s health or political opinion). Exceptions may apply if your special category data is necessary for:
-
public health reasons
-
preventative or occupational medicine purposes or similar (eg the management or provision of health or social care). This only applies where the data is being used by or under the responsibility of a professional with a legal obligation of professional secrecy (eg a health professional)
Even if an exception applies and the organisation decides not to fulfil your deletion request, they must still respond to your request. They should explain their reasoning for refusing your request and should provide information about how you can complain about their decision not to comply.
For more information on exemptions to data deletion requests, see the Information Commissioner’s Office’s (ICO’s) guidance on when the right to erasure does not apply.
What are other considerations for data deletion requests?
After making a data deletion request, you should understand how long an organisation has to respond to your request. As a general rule, organisations have one month to respond to a data deletion request. In some circumstances, organisations may take up to another 2 months to respond to your request, for example, if they require proof of ID.
Similarly, organisations should generally deal with data deletion requests without charging a fee. However, in limited circumstances a reasonable fee may be charged. For example, if the organisation considers your request to be manifestly unfounded or excessive.
While organisations should acknowledge your data deletion request, they may fail to do so, or you may be unhappy with the response you receive. In these circumstances, you should try to resolve the situation by complaining to the organisation. If, after doing this, you do not receive a response or you remain dissatisfied with the organisation’s response, you can complain directly to the ICO. It may also be possible to seek enforcement through the courts.
For more information, read Data protection requests.
Ask a lawyer if you have any questions about the right to be forgotten. To find out more about your data protection rights in general, read Data protection and privacy.
If you are a business or other organisation and want to find out more about how to handle data deletion requests, read Data protection requests. For more general information about data protection, read Data protection for businesses.