It’s your right to ask an organisation to delete the personal data they hold about you, and this is known as the “right to erasure” or the “right to be forgotten.”
This right is protected under Article 17 of the General Data Protection Regulation (GDPR), which states:
“The data subject (that’s you) shall have the right to obtain from the controller (that’s the organisation) the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay…”
This guide will walk you through how to make a right to erasure request, the circumstances under which you can exercise this right, and what you can expect from the organisation.
How Do I Delete My Data from an Organisation?
To make a request for your data to be deleted, simply contact the organisation and specify what data you want removed.
You can submit this request in any format: verbally, in writing, through social media, or by using a free tool like Tapmydata.
If you make the request verbally, it’s a good idea to follow up in writing. This gives you proof of your request, which could be useful if you need to challenge the organisation’s response later.
Does the Organisation Have to Delete My Data?
No, organisations are not always required to erase your data. The right to erasure applies in the following situations:
- The organisation no longer needs your data (e.g., after you’ve cancelled a service like a phone contract).
- You have withdrawn your consent for the use of your data (e.g., you previously agreed to an online newsletter but no longer wish to receive it).
- You have objected to the use of your data (for more, read “Your right to object to how your data is used”).
- The organisation has unlawfully collected or used your data (e.g., they obtained your personal data through an illegal data broker).
- The organisation has a legal obligation to erase your data.
Use a Tool to Make Life Easier
We created Tapmydata to help individuals exercise their data rights more easily. The app is free to use and available on both Apple and Android devices. We don’t collect or store your personal data.
What if I’m Not Satisfied with the Response?
If you’re unhappy with the organisation’s response to your request, you should first file a complaint with them. Try contacting their data protection officer or customer support team, which can usually be found on their website or privacy policy.
If you’re still not satisfied, you can escalate the matter by filing a complaint with the Information Commissioner’s Office (ICO).
What Should Organisations Do?
Organisations are required to delete your data. They must also inform any other organisations they have shared your data with about the erasure. They can only refuse to erase your data if it’s impossible or would require a disproportionate effort.
Can the Organisation Say No?
Yes, in some cases, an organisation can refuse your request to erase your data. This may occur when:
- The organisation is legally required to keep your data.
- The data is necessary for public health reasons.
- The request is “manifestly unfounded or excessive,” as defined by law.
- The data is required for establishing, exercising, or defending legal claims.
- The data is necessary for freedom of expression and information (such as for journalism or academic purposes).
If the organisation refuses your request, they must explain why.
When Should I Get a Response?
Organisations are generally required to respond to your right to erasure request within one month. In some cases, they may need more time to consider your request, and this can extend up to two additional months.
If they need extra time, they must inform you within the first month and explain why more time is necessary.