This article will guide you through the process of the Data Erasure Request under GDPR. You will learn when you can ask for your personal data to be deleted, what your request should look like, and what timeframe for processing the request you can expect.
Please bear in mind that there are some specific circumstances when the organization can refuse to erase your data, e.g., on invoices. You can read more about refusing compliance with data erasure requests here.
What is the right to get your data deleted?
Also known as the right to erasure or right to be forgotten, the GDPR gives individuals the right to ask organizations to delete their personal data.
Based on information from Article 17 of the GDPR, the right to erasure is defined as follows: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” (“undue delay” is considered to be about a month). Personal data can be erased only if one of a number of conditions applies (see below). You might also be asked to verify your identity, as we must ensure that the person requesting erasure is actually the data subject.
When can I request for my personal data to be deleted?
You have the right to have your personal data erased if:
The organization no longer needs your data for the purpose they originally collected it or used it for
You initially consented to the organization using your data but have now withdrawn your consent
You have objected to the use of your data, and your interests outweigh those of the organization using it
You have objected to the use of your data for direct marketing purposes
The organization has collected or used your data unlawfully
The organization has a legal obligation to erase your data
The data was collected from you as a child for an online service
An organization is processing personal data for direct marketing purposes and the individual objects to this processing
An organization processed an individual’s personal data unlawfully
An organization must erase personal data in order to comply with a legal ruling or obligation
An organization has processed a child’s personal data to offer their information society services
How do I ask for my data to be deleted?
There are no particular guidelines on what a valid request should look like. You can make a request for erasure verbally or in writing. However, we highly recommend you reach us via email. This will allow you to precisely describe your concern, let us know what personal data you want us to delete, and explain the next steps you expect from us. Both sides will also have clear proof of communication in case of potential confusion, misunderstanding, or just as a reminder of circumstances.
As previously mentioned, there isn’t one correct way to use your words, but you may find it useful to use the template below to help you cover all the information we might need.
Hi [name of the person you have been in contact with / there]
Right to erasure
[Your full name and email address or any other details to help identify you]
I wish to exercise my right to erasure under data protection law.
[Give details of what personal data you want to be erased/deleted.]
Please send a full response within one calendar month confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss, please contact me.
After receiving your personal data deletion request, we have one calendar month to respond to your request. Please feel free to send us a follow-up email if needed and we will get back to you immediately. After your request has been processed, all your personal data will be deleted from our systems.