A right-facing arrow carved into a white concrete wall
by Syan Bateman
on November 23, 2022

Next up, at number four, is the right to erasure. Also known as the right to be forgotten, people have the right to ask for their data to be erased.

When does this apply?

As part of Article 17 of the UK GDPR, people can ask to erase their data if:

  • The data is no longer necessary for your original purpose,
  • Your lawful basis was consent, which is being withdrawn,
  • Your lawful basis was legitimate interest, the person objects to the processing, and there is no overriding legitimate interest,
  • They object to their data being used for direct marketing,
  • Your processing was illegal,
  • You have to erase the data to comply with a legal obligation, or
  • The data was processed to offer information services to a child.

Like all requests, it can be done verbally, online, or in writing, to any part of your organisation. You must first be certain of their identity, and that they can be asking for that person’s data.

When does it not apply?

However, there are certain circumstances where you do not have to comply with an erasure request. This may be:

  • Your right of freedom of expression and information,
  • Due to a legal obligation,
  • Your lawful basis is public interest, or you are processing on behalf of, or as, an official authority,
  • The request is manifestly unfounded or excessive,
  • You are archiving the data for public interest, scientific research, historical research or statistical purposes, and erasing the data may seriously impair that purpose, or
  • You need to establish, exercise, or defend legal claims.

What should we do?

If the erasure request is valid, then you must respond within a month. You should erase the data from active and backup systems, ensuring that the information is not being used whilst erasing.

If the data was disclosed to a third party, or the data was made public online, you should also tell relevant third parties about the erasure request, unless impossible.

You must respond to the requestor and tell them what will happen to their data. If the erasure request is valid and being fulfilled, how long will it take to erase it? If it’s not valid, you must tell them why you will not erase their data.

If you need any more information regarding the right to erasure, or some advice on dealing with data privacy rights, feel free to contact us.

Categories:

PrivacyUK GDPR

Tags:

No Tag

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2025 Bivika. Created for free using WordPress and Colibri