Under General Data Protection Regulation (GDPR) guidelines, every EU citizen has the right to request the deletion of their personal data by an organisation. This is known as the ‘right to erasure’. In this article we explain more about what qualifies as personal information and how you can properly request a company to delete your data.
What is classed as personal data?
There are many different types of personal data, with the most common being:
- Date of birth
- Home address
- Contact details (phone/email)
- National insurance number
- Passport details
- Drivers licence
While the above are more standard forms of personal data, there are also additional categories deemed as more sensitive and require a higher level of protection. These include:
- Race or ethnic origin
- Sexual orientation
- Religious or political beliefs
- Trade union membership
- Health records
- Biometric data
- Criminal offence/conviction information
When can you ask for your data to be deleted?
Everyone will have their own reasons for requesting that an organisation delete their personal data. Your right to make the request applies when:
- You no longer permit the organisation to use your personal data. An example of this could be if you provided information for research purposes but no longer wish to participate.
- The data is no longer needed for the original reason it was collected. This could apply to a membership scheme you have now cancelled, which required you to provide name, address and other details.
- Your personal information has been collected or used illegally. If laws relating to data protection have not been followed you have the right to request it is deleted.
- The data was collected by an online service such as social media. Special protection is offered to children as they are less likely to be aware of the potential consequences of giving their data to a third party.
How can you properly request a company to delete your data?
If you want to request that an organisation delete your information there is a formal procedure to follow. Firstly, identify the person or department who will be responsible for managing your request – this will vary depending on the size of the organisation.
You can choose to either make your request in written or verbal form. If you choose to make a verbal request it is recommended you follow this up with a written request as this makes an official record, should it be needed for future reference. Hopefully this will only be a precaution you won’t need to use at a later date, but it is sensible to safeguard yourself just in case.
The written request should be short and to the point, detailing who you are, contact details, the full details of the data you would like deleted and asking when they will be able to complete your request. Include details such as your:
- Full address
- Current date
- Name of organisation being contacted
- Reference/account number (if one exists)
- Name of organisational contact
- Personal data you would like deleted
Once received, the onus is then on the organisation to respond. They will either choose to accept your request, or if an exemption is applicable (see below) they will have to explain their reasons for refusal.
Can the organization refuse your request?
There are circumstances where the organisation is able to refuse your request to delete your data. These include:
- Where they hold a legal obligation to retain your information – this is often because they must do so to remain compliant with regulatory requirements within their industry.
- If the data is deemed relevant to freedom of information and expression, such as academia, journalism or artistic purposes.
- The data is a necessary requirement for defending, exercising or establishing legal claims.
- When retaining the information is seen as necessary for public health.
The organisation will have the option to partially or fully refuse your request for deletion if they believe any of the above exemptions apply.
In addition, you may also be refused on the grounds of your request being deemed as excessive or unfounded. There is something of a grey area around refusing to answer requests based on these grounds, with it depending on your personal situation. They can refuse your request or may ask for a ‘reasonable’ fee to cover administrative costs – either way they must be able to justify their final decision.
Even when an organization refuses your request, they must reply to you. Along with providing reasons as to why they will not erase your data, they should also inform you of your right to complain about their decision to the Information Commissioner’s Office (ICO) or in court.
How long does it take to delete your data?
Once you have sent your request the organization has one calendar month to reply. For example, if a request is received on June 6 they must respond by July 6. The only exception to this is if the end date is a Saturday, Sunday or bank holiday, in which case the deadline is moved to the next working day. In most cases they will be able to let you know if they will accept or refuse your request within this time frame, however, there are instances where they require an extension to reach a decision. If this is the case they must still respond within one month to explain the reason why.
The organization may ask you to prove your identity, although this should not require you to provide extensive amounts of information. If proof of identity is requested, then the one-month response window starts from this point.
Can you make a complaint if you are unhappy with the process?
The first thing to do if you are dissatisfied with how your request has been processed is to discuss this with the organization themselves. See how they respond to your complaint as you may be able to resolve the issue without taking things further.
If you are still unhappy with their response you can raise a complaint with the ICO, or take the issue to the courts. Before taking up the latter option be sure to seek professional legal advice to fully discuss your options.
Remember, as an EU citizen it’s well within your rights to both request your information from a company and to have them delete it. It doesn’t matter your reasons to request data deletion, a company has to respond to your request within 30 days by law, unless they can give you a reason as to why they need an extension. Let us know how you get on!