Making data deletion requests

You can request for your personal data to be deleted if:

• it is no longer necessary for the organisation to keep your data for its original purpose (eg after you have cancelled a gym membership, the gym no longer needs to keep details on your name, address, age and health conditions)

• the organisation relied on consent to lawfully hold the data and you have now withdrawn your consent (eg you agreed to partake in a market research study and later changed your mind)

• you objected to the use of your data and your interests outweigh those of the organisation using it

• the data was used for direct marketing and you object to that processing (for more information, read Objecting to the use of personal data)

• the organisation has collected or used your data unlawfully (eg the organisation hasn’t complied with data protection rules)

• the organisation has a legal obligation to delete your data

• the data was collected from you as a child for the use of an online service (eg you registered for and used social media as a child). Special protection is awarded to children’s data, especially online, as they may be less aware of the risks and consequences of giving their data to organisations. This means that even if you are an adult now, you can request that data provided by you as a child is now deleted

You should contact the organisation and inform them which personal data you want them to delete. A request to have your data deleted can be made verbally or in writing; however, it is recommended that you make such a request in writing in order to have a record of the request. If you make a verbal request, follow up in writing to explain your concern, give evidence and state your desired solution.

Organisations will usually outline this procedure within their privacy policy and/or terms and conditions documentation.

Content of a deletion request

While there is no specific format for a deletion request, it should generally include:

• your name, address and any details to help the organisation identify you

• a statement that you wish to exercise your right of erasure

• details of the personal data you want to have deleted

• a request for a response within a timeframe (typically one calendar month) confirming that they will comply with your request

You can make your request using our Data erasure request.

Sending a deletion request

Your data deletion request doesn’t need to be addressed to a specific person and you can generally send it to any part of the organisation. However, you should make sure that your request has been received by asking for receipt of confirmation.

Ask a lawyer if you have any questions about making a data deletion request.

After receiving a deletion request, an organisation should delete your data, unless they refuse to do so because an exemption applies (see ‘Can organisations refuse my request?’ for more information).

When you make a successful deletion request, an organisation should generally contact any third parties with which they shared your data about your data deletion request. Organisations can only refuse to do this if it would be impossible or involve a disproportionate effort. Organisations should also inform you if they have shared your data with anyone else.

If your personal data has been published online (eg social networks and websites) the organisation has to take reasonable steps to inform those responsible for these sites to erase your personal data.

An organisation may be able to refuse a data deletion request if an exemption applies, including:

• if it is necessary for the organisation to keep your data for reasons such as freedom of expression or information (eg work for journalism, academic, artistic and literary purposes)

• if organisations are legally obliged to keep your data (eg complying with financial or other regulatory authorities)

• if the organisation is carrying out a task that is public for public interest or exercising their official authority

• when the data is necessary for legal claims that require establishing, exercising or defending the claims

• when the erasure of your personal data would prejudice scientific or historical research, or archiving that is in the public interest

• if the data deletion request is ‘manifestly unfounded or excessive’ (eg the request was only made to harass or disrupt the organisation)

With regards to special category personal data (eg information about physical or mental health or condition) the right to erasure doesn’t apply if the retention of your data is necessary for:

• reasons of public health

• preventative or occupational medicine purposes. This only applies where the data is being used by or under the responsibility of a professional with a legal obligation of professional secrecy (eg a health professional)

Organisations generally have one month to respond to your request. In some circumstances (eg if you have made several requests or where proof of ID is required), organisations may need extra time to consider your request and can take up to an extra two months to respond. Organisations should inform you within one month if they need more time and explain why. 

While data requests should generally be dealt with and provided free of charge, an organisation may be able to charge a fee in certain, limited circumstances (eg where the organisation finds the request to be manifestly unfounded or excessive).

For more information, read Data protection requests.

If an organisation doesn’t respond to your request or you are dissatisfied with their response, you should contact the organisation. If you do not receive a response or remain dissatisfied with the response, you can complain to the ICO. You can also consider seeking enforcement through the courts. For more information, read Data protection requests.