Exercise Your Rights – Article 17 GDPR - Have your data deleted!

Have your cancelled your gym membership? Or deleted a workout app on your phone? Did you know that those gyms or apps may be required to delete the data they have about you?

The GDPR has greatly strengthened our rights for deleting personal data that is inaccurate, out of date or being used illegally. Read on to find out how to exercise your right to have your data deleted…

Your Right to be Forgotten

What is a right to deletion?

In the GDPR, the right to deletion is also called the right to erasure, or “the right to be forgotten*”. For this reason, the terms “delete” and “erase” are often used interchangeably. This right concerns your personal data processed by companies, organisations and businesses that you want erased or deleted from their systems.

Note that “The right to be forgotten” is also sometimes used to refer to a right to delisting.

While rights to delisting or erasure can be considered similar, they are not the same thing. The right to delisting applies specifically to personal data about you that can be found via search engines. For example, when you request that Google deletes certain results that appear when you type your name into the Google search bar, you are exercising your right to delisting. Your right to erasure is broader, as it applies to all controllers processing your data, not just search engines.

Step 1: Identify who to send your request to

Step 2: Drafting your request

Step 3: Controller response

Step 4: What if the controller refuses to erase my data?

When do controllers have to delete my data?

Controllers must delete your data in one of the following cases:

The storage or use of your data is no longer necessary for the purposes for which it was originally collected, and no new reason for processing or keeping it exists (eg your subscription at the gym expired months ago and you paid your membership fees on time)
The controller is relying on your consent to process the data and you withdraw that consent (to find out how to withdraw your consent, read here),
You object to the processing of your data and there are no overriding reasons for the controller to continue processing it, or your data is being used for direct marketing purposes (see more on the right to object)
The controller is processing your data illegally (eg they are processing it without a legal basis or in violation of one of the principles of personal data processing);
The data must be deleted in order for the controller to comply with a legal obligation (eg an obligation for a bank to delete any data about your debts after several years);
The data were collected in relation to the offer of information society services (eg social media or a gaming app) on the basis of the consent of a child (the age of consent is 13-16, depending on the EU country you live in).

Are there any exceptions to this obligation to delete my data?

Yes, but the controller will have to demonstrate that the exception applies to your specific circumstances, ie they cannot use a blanket excuse for refusing to delete data.

Controllers may not have to delete your data if one of the following applies:

Keeping or using the data is necessary for freedom of expression or information (eg a newspaper published its investigation online),
The data must be processed in order for the controller to comply with a legal obligation (eg national tax laws may require that certain personal data of taxpayers is retained),
The data must be retained for public health reasons (eg the visitors’ data are retained by a hospital to avoid contamination by a virus),
Deleting the data would “seriously impair or render impossible” processing of the information for statistical, historical or scientific purposes (eg in the case of archiving),
Keeping the data is necessary for taking or responding to a legal claim (this should be a claim that is already taking place at the time you make your request; this exception does not entitle the controller to keep your data ‘just in case’ a claim arises one day).

Can I ask for the deletion of my data in all cases?

Some exemptions exist, depending on the country. The most common exemptions exist in the field of law enforcement and police, national security, or taxation.

The controller can also refuse your request to delete your data if the request is excessive (eg several similar requests on the same matter) of manifestly unfounded (eg with the intention of causing disruption).

Who has to delete my personal data?

If you make a request to have your personal data erased, it is the data controller (the organisation/entity/administration/company processing your data) who must take the appropriate steps to erase it. The controller must also inform other controllers, processors (if they have outsourced processing to them), and any other recipients, that you want your data erased and that it must be deleted.

How do I get a controller to delete my data?

Step 1: Identify who to send your request to

A request to delete your data should be addressed to the controller (the organisation/entity/administration/company processing your data).

This can be done by email, letter, fax or through a form, as long as you have a written record of the request. When the processing is online, the controllers must provide automated ways (like a form, or a link to object in an email) to object to the processing of your data.

The relevant email address can usually be found in the “privacy policy” or “contact us” section of the controller’s website. It will generally have a name like privacy@company.com or legal@publicauthority.eu. If this is difficult to find, or if there is no specific address to which you can send your request, that’s the fault of the controller, not yours - the GDPR requires controllers to make this information easily accessible. Where there is no specific email address, you can use the general contact details of the controller.

Step 2: Drafting your request

Inform the controller that you are asking for the deletion of your data and that you are seeking a confirmation from the controller that they have stopped the processing. If there are several processing operations on you, specify which you would like to stop.
Specify your name or other identifier used by the controller (eg an account username). To help the controller address your request more efficiently, include some information that would help to identify your account, such as your phone number (if you gave it when you signed up), username or account name, or IP address. This will be particularly helpful if you have a common first name and surname.
Include the date in the text if you put your request in an attachment to the email or in a letter. This clarifies the controller’s deadline for providing the information.
Mention in your email or letter:
- that you are seeking the erasure of your data immediately (you can make an explicit reference to Article 17 GDPR),
- that you are seeking a confirmation that the controller has deleted your data within one month of making your request,
- the reason(s) why the controller is obliged to delete your data (see our list of grounds above in “when do controllers have to delete my data?”. You can include more than one reason outlining why the controller should delete your data)
- that if the data has been disclosed to other recipients, those parties must be informed of your request and the data deleted from their systems also.
Specify how you would like to receive the information, eg electronically, via an email address.
You can ask the controller to confirm that they will refrain from processing the contested data while they are handling your request. In such a case, specify that you want to exercise your right of restriction of your data under Article 18(1)(d) GDPR.

If you prefer, you can also use the tools provided by mydatadoneright.eu. Their system will write and send the erasure request for you.

Step 3: Controller response

Once the controller receives your request, they have one month to respond and confirm they have deleted your data. This period can only be extended once by a maximum of two further months, in cases of complex or multiple requests.

The controller can ask you additional information to confirm your identity in case of doubt. However, such a request should be limited to the additional information necessary to confirm who you are. The additional information cannot be disproportionate, having considered the context of the processing of your data (eg a shop asking you a copy of your passport to change the address of a loyalty card would be disproportionate).

Generally, this response should be provided to you in writing, but it can be communicated to you via electronic means such as email, or it can be provided orally if you request it.

Step 4: What if the controller refuses to erase my data?

A controller may reply to your request saying that they have decided not to delete some or all of the data you requested be erased. If they do this, they must explain why not, and demonstrate in their explanation how one of the exceptions applies in your particular case (see explanations above). The controller cannot refuse to delete the data for any other reason, nor can they issue you with a generic, blanket response.

If the controller:

rejects your request without a satisfactory explanation,
tries to unjustifiably charge you for your request,
does not:
- restrict the processing while handling your request (if you asked for it),
- respond after a month (or an extended period of maximum 3 months),

you are entitled to file a complaint with a data protection authority (eg the DPA where you live or work), and the controller should inform you about that.

If you need assistance in assessing the legal elements of a controller’s reply, you can contact us at info@noyb.eu to discuss further steps.

Back to Exercise Your Rights

Support us!

noyb funding goal

74.26 %

Invest in privacy!

Follow us!

Media Coverage

Apple hits back at European activist complaints against tracking tool

An Austrian privacy advocacy group drew a strongly critical response from Apple on Monday after it said an online tracking tool used in its devices breached European law.

101 Unternehmen leiten noch immer Daten an die USA weiter

Der Datenschutz-Verein noyb brachte 101 Beschwerden gegen den Datentransfer in die USA ein.

ZDF Magazin Royale vom 10. Dezember 2021

Expertentalk mit Datenschützer und Facebookbezwinger Max Schrems

Irish regulator proposes 36 mln euro Facebook privacy fine - document

The complaint, lodged by Austrian privacy activist Max Schrems, concerned the lawfulness of Facebook's processing of personal data, specifically around its terms of service.

DPC seeking penalty of up to €36m against Facebook

The Data Protection Commission (DPC) has suggested a penalty of between €28 million and €36 million for Facebook in a draft decision made against the company. Austrian privacy and data rights campaigner Max Schrems’s NOYB organisation, which filed the original complaint against the technology giant, has published the commission’s draft decision online.