After receiving your request, a business should delete your data, unless they refuse to do so because an exemption applies. Examples of exemptions include:
-
it’s necessary to keep your data for reasons such as freedom of expression or information (eg work for journalism, academic, artistic and literary purposes)
-
the data is necessary for legal claims that require establishing, exercising or defending the claims
-
retention of the data is necessary for reasons of public health
When you make a successful deletion request (ie one that results in your data being deleted), the business should contact any third parties, with which they shared your data, about your data deletion request. This can only be refused if it would be impossible or involve a disproportionate effort.
If your personal data has been published online (eg social networks and websites) the business has to take reasonable steps to inform those responsible for these sites to erase your personal data.
For more information, read Making data deletion requests and Data protection requests.