
You can ask an organisation that holds data about you to delete that data and, in some circumstances, it must then do so. This is known as the right to erasure. You may sometimes hear it called the ‘right to be forgotten’.
How do you ask for your data to be deleted?
You should contact the organisation and let it know what you want erased. You don’t have to ask a specific person – you can contact any part of the organisation with your request.
A request can be verbal or in writing. We recommend you follow up any verbal request in writing because this will allow you to explain your concern, give evidence and state your desired solution. It will also provide clear proof of your actions if you decide to challenge the organisation’s initial response.
When can you request erasure?
The right to erasure is not absolute. The right only applies in the following circumstances:
- The organisation no longer needs your data.
Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.
- You initially consented to the use of your data, but have now withdrawn your consent
Example: you agreed to take part in a market-research study and now no longer wish to do so.
- You have objected to the use of your data, and your interests outweigh those of the organisation using it
For more, read ‘Your right to object to how your data is used’.
- The organisation has collected or used your data unlawfully
Example: it hasn’t complied with the rules on data protection.
- The organisation has a legal obligation to erase your data.
- The data was collected from you as a child for an online service.
Example: social media or a gaming app.
The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organisations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.
For more about this, see our guidance on Children’s Rights.
What to do if the organisation does not respond or you are dissatisfied with the outcome
If you are unhappy with how the organisation has handled your request, you should first complain to it.
Having done so, if you remain dissatisfied you can make a complaint to the ICO.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.
How should I raise my concern about how an organisation has handled my information?
You can use the template letter below to help you raise your concerns.
[Your full address] [Name and address of the organisation] Dear [Sir or Madam / name of the person you have been in contact with] Information rights concern I am concerned that you have not handled my personal information properly. [Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.] I understand that before reporting my concern to the Information Commissioner’s Office (ICO) I should give you the chance to deal with it. If, when I receive your response, I would still like to report my concern to the ICO, I will give them a copy of it to consider. You can find guidance on your obligations under information rights legislation on the ICO’s website (www.ico.org.uk) as well as information on their regulatory powers and the action they can take. Please send a full response within one calendar month. If you cannot respond within that timescale, please tell me when you will be able to respond. If there is anything you would like to discuss, please contact me on the following number [telephone number]. Yours faithfully |