Your right to erasure under UK GDPR — what it means and how to use it

Under UK GDPR, you have the right to ask any organisation to delete your personal data — and in most cases, they must do it within 30 days. This right is set out in Article 17 and is commonly called the “right to erasure” or the “right to be forgotten.” It applies to data brokers, direct marketers, and any other organisation that holds information about you.

This is not a courtesy. It is a legal obligation. If a company ignores your request, you can escalate to the Information Commissioner's Office (ICO), the UK's data protection regulator, and the company can face enforcement action.

When the right applies

Article 17 lists six grounds on which you can request erasure. You only need to satisfy one of them:

• The data is no longer needed. The organisation collected your data for a specific purpose and that purpose no longer exists.
• You withdraw consent. If the organisation was relying on your consent to process your data, you can withdraw it at any time.
• You object to processing. You exercise your right to object under Article 21, and the organisation has no overriding legitimate interest to continue. For direct marketing, this right is absolute — there is no balancing test.
• The data was processed unlawfully. The organisation never had a valid legal basis for holding or using your data.
• A legal obligation requires deletion. Domestic or EU law requires the data to be erased.
• The data relates to a child. If you are a parent or guardian and the data concerns a child under 18 who provided it in connection with an information society service.

For data brokers specifically, the most straightforward ground is usually either the absence of a lawful basis or the Article 21 marketing objection — which, once made, the broker cannot refuse.

When companies can refuse

The right is strong but not absolute. Article 17(3) sets out the exceptions. A company can legitimately refuse if it needs to keep your data:

• To comply with a legal obligation (for example, tax records)
• For the exercise or defence of legal claims
• For reasons of public health
• For archiving in the public interest, scientific research, or statistical purposes
• For the exercise of the right of freedom of expression and information

In practice, none of these exceptions apply to the data brokers that build marketing profiles on ordinary consumers. Legitimate interests — the catch-all legal basis that many companies prefer to rely on — does not override an Article 21 marketing objection. Organisations sometimes claim it does. They are wrong.

The 30-day deadline

Once you submit a valid erasure request, the company has one calendar month to respond. If your request is complex or you have submitted multiple requests at once, they may extend this by a further two months — but they must tell you within the first month that they are doing so and explain why.

If you hear nothing within 30 days, that silence is itself a breach. You do not need to wait for a refusal — you can escalate to the ICO immediately.

How to write an erasure request

There is no required format. You can make the request by email, letter, or even through a web form if the company provides one. The company cannot require you to use a specific channel or to complete a form if you have submitted a valid request through another means.

Your request should include:

• Your full name and any names you have previously used
• Your current address and any previous addresses they might hold
• Your date of birth (to help identify your records)
• A clear statement that you are exercising your right to erasure under Article 17 of the UK GDPR
• A specific reference to Article 21 if your request is based on objecting to direct marketing

You do not have to explain why you want your data deleted beyond citing the relevant article. You do not have to pay a fee. The company cannot refuse to process your request on the grounds that you have not provided a reason.

What to do if a company refuses

If a company refuses your request, it must tell you why in writing, explain that you have the right to complain to the ICO, and tell you that you may seek a judicial remedy.

You can file a complaint with the ICO at ico.org.uk/make-a-complaint. The ICO will investigate and can require the company to comply, impose fines, and publish enforcement actions. ICO investigations typically take 3–6 months.

You can also seek a court order in the county court requiring the company to comply — though in practice most people go through the ICO first, as it is free and does not require a solicitor.

Why this matters for data brokers

Most UK data brokers hold your information legally — they purchase it from the edited electoral register, from Companies House, and from credit reference agencies. Having a lawful source does not mean they can hold it forever. The moment you object to your data being used for direct marketing, their legal basis evaporates. The right to object to direct marketing under Article 21(2) is absolute — there is no legitimate interests test, no proportionality assessment. They must stop.

The practical challenge is that there are over 20 significant data brokers operating in the UK, each requiring a separate request. That is what DataDelete does — we send the requests, track the 30-day deadlines, and escalate to the ICO on your behalf if any broker does not comply.