1. Your data matters

Your right to get your data deleted

Share

You can ask an organisation that holds data about you to delete that data and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’.

How do you ask for your data to be deleted?

You should contact the organisation and let it know what you want erased. You don’t have to ask a specific person – you can contact any part of the organisation with your request.

A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response. 

When can you request erasure?

The right to erasure is not absolute. The right only applies in the following circumstances:

  • The organisation no longer needs your data.

Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.

  • You initially consented to the use of your data, but have now withdrawn your consent

Example: you agreed to take part in a market-research study and now no longer wish to do so.

  • You have objected to the use of your data, and your interests outweigh those of the organisation using it

For more, read ‘Your right to object to how your data is used’.

  • The organisation has collected or used your data unlawfully

Example: it hasn’t complied with the rules on data protection.

  • The organisation has a legal obligation to erase your data.
  • The data was collected from you as a child for an online service.

Example: social media or a gaming app.

The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organisations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.

For more about this, see our guidance on Children’s Rights.

What to do if the organisation does not respond or you are dissatisfied with the outcome

If you are unhappy with how the organisation has handled your request, you should first complain to it.

Having done so, if you remain dissatisfied you can make a complaint to the ICO.

You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.

How should I raise my concern about how an organisation has handled my information?

You can use the template letter below to help you raise your concerns.

[Your full address]
[Phone number]
[The date]

[Name and address of the organisation]
[Reference number (if provided within the initial response)]

Dear [Sir or Madam / name of the person you have been in contact with]

Information rights concern
[Your full name and address and any other details such as account number to help identify you]

I am concerned that you have not handled my personal information properly.

[Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]

I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it.

If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider.

You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take.

Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond.

If there is anything you would like to discuss, please contact me on the following number [telephone number].


Yours faithfully
[Signature]

What organisations should do?

The organisation should delete your data. It should also inform anyone else it has shared your data with about the erasure. It can only refuse to do this if it would be impossible or involve disproportionate effort. It must also inform you of the fact it has shared your data with these other people, if you ask.

If your personal data has been made public in an online environment –  such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites about the erasure.

When can the organisation say no?

The organisation can refuse to erase your data in the following circumstances:

  • When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).
  • When the organisation is legally obliged to keep hold of your data.
  • When keeping hold of your data is necessary for reasons of public health.
  • When keeping your data is necessary for establishing, exercising or defending legal claims.
  • When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

The organisation can also refuse your request if it is, as the law states, “manifestly unfounded or excessive”.

If, having considered your request, the organisation decides it does not need to erase your data, it must still respond to you. It should explain to you why it believes it does not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.

 How long should the organisation take?

An organisation has one calendar month to respond to your request. In certain circumstances it may need extra time to consider your request and can take up to an extra two months. If it is going to do this, it should let you know within one month that it needs more time and the reasons why. For more on this, see our guidance on Time Limits.

The organisation might need you to prove your identity. However, it should only ask you for just enough information to be sure you are the person whose data it holds. If it does this, the one-month time period to respond to your request begins from when it receives this additional information.

 Can it charge a fee?

In most circumstances, no. An organisation can only charge a fee if the request is “manifestly unfounded or excessive”. It may then ask for a reasonable fee for administrative costs associated with your request.