Know your rights. It’s your right to ask an organisation to delete the personal data they hold on you. This is called the right to erasure, or the right to be forgotten.
This right is covered in Article 17 of the GDPR, as follows:
“The data subject (that’s you) shall have the right to obtain from the controller (that’s the organisation) the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay…”
This guide will show you how you can make a right to erasure request to an organisation, under what circumstances you can exercise this right and what to expect from the organisation.
How do I delete my data from an organisation?
You should contact the organisation and let them know what you want deleted.
You can send this request in any format. A request can be verbal, in writing, via social media or by using our free tool Tapmydata.
If you make a request verbally we recommend that you follow up in writing because doing so gives you proof of your actions should you need to challenge that organisation at a later date.
Does the organisation have to delete my data?
No. The right to erasure, or right to be forgotten, is not always possible. The right applies in these circumstances:
- The organisation doesn’t need your data (Example: after you have cancelled your phone contract, the phone company no longer needs to keep details of your name, address or age)
- You consented to the use of your data, but have now withdrawn your consent (Example: you agreed to sign up for an online newsletter but now no longer wish to be signed up to that newsletter)
- You have objected to the use of your data (for more, read ‘Your right to object to how your data is used’)
- The organisation has collected or used your data unlawfully (Example: The organisation has gathered your personal data through an illegal data broker)
- The organisation has a legal obligation to erase your data
Use a tool, make life easier
We built Tapmydata to make it easy for citizens to exercise their data rights.
I am not happy with the response, what can I do?
If you are still unsatisfied, you can make a complaint to the Information Commisioner’s Office (ICO).
What should organisations do?
The organisation should delete your data. The organisation should also inform any other organisations it has shared your data with about the erasure. It can only refuse your right to be forgotten request if it is impossible or involves a “disproportionate” effort.
Can the organisation say no?
Some organisations can refuse to delete your data because of the following:
- When the organisation has to legally keep hold of your data
- When keeping your data is necessary for reasons of public health
- If the request is, as the law states “manifestly unfounded or excessive”
- When keeping your data is necessary for establishing, exercising or defending legal claims
- When keeping your data is necessary for reasons of freedom of expression and information (things like journalism and academic purposes)
Don’t forget, if the organisation says it does not need to erase your data, it must respond back to you. The organisation should explain why it will not erase your data.
When should I get a response?
Organisations generally have one calendar month to respond to your right to be forgotten request. In some situations it may need more time to consider the request, and this can take up to an extra two months.
The organisation must let you know within one month that it needs more time and the reasons why.
Will it cost me anything?
Generally, no! Organisations can only charge a fee if the right to erasure request is as the law states “manifestly unfounded or excessive”. The organisation then may be able to ask for a fee for admin costs associated with your request.
We hope you found this guide useful. Go to the My Data Rights section of our blog for more guides.