What is the right to get your data deleted?
The right to get your data deleted is also known as the ‘right to erasure’. You can ask an organisation that holds data about you to delete that data. In some circumstances, they must then do so. You may sometimes hear this called the ‘right to be forgotten’.
When can I ask for my data to be deleted?
The right only applies in the following circumstances:
- The organisation no longer needs your data for the original reason they collected or used it for.
After you have cancelled your gym membership, the gym no longer needs to keep details of your name, address, age and health conditions.
- You initially consented to the organisation using your data, but have now withdrawn your consent.
You agreed to take part in a market research study and now don’t want to.
- You have objected to the use of your data, and your interests outweigh those of the organisation using it.
- You have objected to the use of your data for direct marketing purposes.
For more information on the right to object, read ‘Your right to object to how your data is used’.
- The organisation has collected or used your data unlawfully.
It hasn’t complied with the rules on data protection.
- The organisation has a legal obligation to erase your data.
- The data was collected from you as a child for an online service.
You used social media or a gaming app as a child.
The law gives children special protection, especially online, because they may be less aware of the risks and consequences of giving their data to organisations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.
For more about this, see our guidance on Children’s rights.
How do I ask for my data to be deleted?
You should contact the organisation and let them know what personal data you want them to erase. You don’t have to ask a specific person – you can contact any part of the organisation with your request.
You can make your request verbally or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and explain what you want to happen. You will also have clear proof of your actions, if you decide to challenge the organisation’s response.
There are no specific words that you must use, but you may find it useful to use the template below to help you exercise your right to erasure.
[Your full address]
[Name and address of the organisation]
[Reference number (if applicable)]
Dear [Sir or Madam / name of the person you have been in contact with]
Right to erasure
[Your full name and address and any other details such as account number to help identify you]
I wish to exercise my right of erasure under data protection law.
[Give details of what personal data you want erased/deleted.]
You can find guidance on your obligations under information rights legislation on the website of the Information Commissioner’s Office (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.
Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me.
What should the organisation do?
The organisation should delete your data, unless an exemption in data protection law applies (see below).
They should also tell anyone else they have shared your data with about the erasure. They can only refuse to do this if it would be impossible or involve disproportionate effort. If you ask, they must also tell you that they have shared your data with other organisations.
If your data has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites to erase links or copies of that data.
When can the organisation say no?
The organisation can refuse to erase your data in the following circumstances:
- When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
- When the organisation is legally obliged to keep hold of your data such as to comply with financial or other regulations.
- When the organisation is carrying out a task in the public interest or when exercising their official authority.
- When keeping your data is necessary for establishing, exercising or defending legal claims.
- When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
Also, the right to erasure does not apply to special category data in the following circumstances:
- When keeping hold of your data is necessary for reasons of public health in the public interest.
- When keeping your data is necessary for the purposes of preventative or occupational medicine; for the assessment of the working capacity of the employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services. This only applies if the data is being used by or under the responsibility of a professional who is under a legal obligation of professional secrecy, such as a health professional.
If an exemption applies, the organisation can either fully or partly refuse to comply with your request.
The organisation can also refuse your request if it is, as the law states, ‘manifestly unfounded or excessive’.
There is no set definition of what makes a request ‘manifestly unfounded or excessive’. It depends on the particular circumstances of your request. For example, an organisation may consider a request to be ‘manifestly unfounded or excessive’ if it is clear that it has been made with no real purpose except to cause the organisation harassment or disruption.
In such circumstances the organisation can:
- request a reasonable fee to deal with the request; or
- refuse to deal with the request.
In either case they will need to tell you and justify their decision.
If, having considered your request, the organisation decides it does not need to erase your data, they must still respond to you. They should explain why they believe they don’t have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.
How long should the organisation take?
An organisation has one calendar month to respond to your request. In certain circumstances they may need extra time to consider your request and can take up to an extra two months. If they are going to do this, they should let you know within one month that they need more time and the reasons why. For more on this, see our guidance on time limits.
The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person. If they do this, then the one-month time period to respond to your request begins from when they receive this additional information.
Can the organisation charge a fee?
In most circumstances, no. An organisation can only charge a fee if the request is ‘manifestly unfounded or excessive’. They may then ask for a reasonable fee for administrative costs associated with your request.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first raise a concern with them and give them the opportunity to resolve the matter
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.