From getting an insurance quote to signing up to a new gym, you often need to provide companies with your personal data, such as your name, address and birth date.
But while this is often necessary and convenient, your data belongs to you and should only be used properly and legally.
So you can ask an organisation that holds data about you to delete it. And in many cases they must do so. This is your right to erasure, also known as your ‘right to be forgotten’.
But data erasure is not a blanket right, and sometimes organisations are obliged to hold onto some of your data.
How do you ask for your data to be deleted?
You should contact the organisation, either on the phone or in writing - see the template letter here - and let it know what data you want erased.
The organisation then has one month to respond to your request.
When must the organisation say yes, and delete your data?
- The organisation no longer needs your data. An example from the Information Commissioner’s Office (ICO), the UK’s data watchdog, is if you have cancelled your gym membership, in which case it no longer needs to keep details of your name, address, age and health conditions.
- You initially agreed to the use of your data but have withdrawn your consent. For example, if you agreed to take part in a market-research study but change your mind.
- The organisation has a legal obligation to erase your data. This applies when it’s no longer necessary for the purpose for which it was originally collected or processed.
- The data was collected from you as a child for an online service, such as social media or a gaming app.
- You have objected to the use of your data, and your interests outweigh those of the organisation using it.
- The organisation has collected or used your data unlawfully.
In these circumstances, the organisation should not only delete your data, but also inform anyone else it has shared your data with about the erasure.
When can the organisation say no?
The organisation or company may have good reason to refuse to erase your data. It can do so if:
- The law or regulations say so. For example, if you move bank, your old bank isn’t allowed to delete your personal details as banks have to store all customer details for 10 years. Or if an insurance company has provided you with a quotation for motor insurance, but you decided against it, it still must keep the details on record to deal with complaints or any request for information from the regulator.
- Keeping your data is necessary for reasons of freedom of expression and information, such as journalism and academic, artistic and literary purposes.
- Keeping hold of your data is necessary for reasons of public health, or for defending legal claims.
- Erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.
- Your request is “manifestly unfounded or excessive”, meaning it’s repetitive. In this case, it can either say no, or charge you a fee to deal with the request.
If the organisation decides it does not need to erase your data, it must still respond to you explaining why, and letting you know about your right to complain about its decision to the ICO, or through the courts.