Profile information Account settings
Logout
Sign up Log in

Making data deletion requests

Article 17 of the UK General Data Protection Regulations (GDPR) grants individuals the ‘right to erasure’ or ‘the right to be forgotten’. This right allows individuals to have their personal data deleted from businesses’ or other organisations’ records. Read this guide to learn how to make data deletion requests.

Make your Data erasure request
Get started
Answer a few questions. We'll take care of the rest

You can request that your personal data is deleted if:

  • it is no longer necessary for the organisation to keep your data for its original purpose (eg if you were to cancel a food box subscription, the seller no longer needs to keep a record of your name, address, and food preferences etc)

  • the organisation relied on consent to lawfully hold the data and you have now withdrawn your consent (eg you agreed to be sent a survey to fill in, but you later changed your mind)

  • you object to the use of your data and either: 

    • your interests outweigh those of the organisation using it, or

    • your data was used for direct marketing, which you object to

  • the organisation has collected or used your data unlawfully (eg the organisation hasn’t complied with data protection rules)

  • the organisation has a legal obligation to delete your data

  • the data was collected from you when you were a child, for the use of an online service (eg if you registered for and used social media as a child). Special protection is awarded to children’s data, especially online, as children may be less aware of the risks and consequences of giving their data to organisations. This means that, even if you are an adult now, you can request that data you provided to an organisation as a child is deleted now

If you want an organisation to delete your personal data from their records, you should contact them and inform them which personal data you want to be deleted. The request can be made verbally or in writing. However, it is usually best to make such a request in writing in order to have a record of the request. If you make a verbal request, follow up in writing. Organisations will usually outline this procedure within their Privacy policy and/or Terms and conditions documentation.

What should a data deletion request include?

When you make your request, you should generally explain your concern, give evidence, and state your desired solution.

While there is no specific format that’s required for a deletion request, it should generally include:

  • your name, address, and any details to help the organisation identify you

  • a statement that you wish to exercise your right of erasure

  • details of the personal data you want to have deleted

  • a request for a response within a specified timeframe (usually one calendar month), which should confirm that they will comply with your request

You can make your request using our Data erasure request template.

Sending a deletion request

Your data deletion request doesn’t need to be addressed to a specific person and you can generally send it to any part of the organisation that holds your data. However, you should make sure that your request has been received by asking for confirmation.

You can Ask a lawyer for assistance if you have any questions about making a data deletion request.

After receiving an erasure request, an organisation should delete your data, unless they refuse to do so because an exemption applies (see ‘Can organisations refuse my deletion request?’ for more information).

When you make a successful deletion request, an organisation should generally contact any third parties with which they shared your data to tell them about your data deletion request. This should be done unless doing so would be impossible or would involve a disproportionate effort. Organisations should also inform you if they have shared your data with anyone else.

If your personal data has been published online (eg on social media platforms and websites), the organisation that collected your data has to take reasonable steps to tell those responsible for these sites about your deletion request. They should tell them to erase your personal data.

An organisation may be able to refuse (either entirely or partially) a data deletion request if an exemption applies, for example:

  • if it is necessary for the organisation to keep your data for reasons such as freedom of expression or freedom of information (eg for journalism, artistic, academic, or literary purposes)

  • if an organisation is legally obliged to keep your data (eg to comply with financial or other regulatory authorities’ requests or regulations)

  • if the organisation is carrying out a task that is performed for public interest reasons or to allow them to exercise their official authority

  • when the data is necessary for establishing, exercising, or defending a legal claim

  • when erasing the personal data would prejudice scientific or historical research or archiving that is in the public interest

  • if the data deletion request is ‘manifestly unfounded or excessive’ (eg the request was only made to harass or disrupt the organisation)

Additional exceptions apply (ie the right to erasure does not apply) to requests for deletion of special category personal data (eg sensitive information about physical or mental health conditions). Exceptions may apply if your special category data is necessary for:

  • public health reasons

  • preventative or occupational medicine purposes or similar, for example, the management or provision of health or social care. This only applies where the data is being used by or under the responsibility of a professional with a legal obligation of professional secrecy (eg a health professional)

Even if an exception applies and the organisation decides not to fulfil your deletion request, they must still respond to your request. They should explain their reasoning for refusing your request and should provide information about how you can complain about their decision not to comply. 

Organisations generally have one month to respond to your request. In some circumstances (eg if you have made several requests or if proof of ID is required), organisations may need extra time to consider your request and can take up to an extra two months to respond. Organisations should inform you within one month if they need more time and explain why. 

While data requests should generally be dealt with and responses provided free of charge, an organisation may be able to ask you to pay a fee in certain, limited circumstances (eg where the organisation considers the request to be manifestly unfounded or excessive).

For more information, read Data protection requests.

If an organisation fails to respond to your request or you are dissatisfied with their response, you should contact the organisation first. If you do not receive a response or you remain dissatisfied with the response, you can complain directly to the ICO. It’s also possible to seek enforcement through the courts. For more information, read Data protection requests.

Make your Data erasure request
Get started
Answer a few questions. We'll take care of the rest