Your data rights
The Right to Erasure: When a Company Must Delete Your Data
A plain-language guide to the UK GDPR right to ask an organisation to delete personal data about you — the specific grounds that trigger it, the reasons a company can lawfully say no, and how the two fit together.
In short
The right to erasure (UK GDPR, Article 17) lets you ask an organisation to delete personal data it holds about you. It applies in specific situations — such as data no longer being needed — not in every case. An organisation can refuse where it has a lawful reason to keep the data.
What the right to erasure actually is
The right to erasure is one of the rights the UK GDPR gives every individual over their own personal data. Set out in Article 17 and sometimes called the right to be forgotten, it lets you ask an organisation to delete personal data it holds about you. The name can give the wrong impression, so it helps to be clear from the start: it is a right to ask, and it applies in specific situations rather than as a blanket power to have anything about you removed.
It sits alongside other rights — such as the right of access (the basis of a Data Subject Access Request) and the right to object — and is often used after you already know what an organisation holds. Where it applies, the organisation should delete the relevant data; where a valid reason to keep it exists, it may decline. Understanding which situations trigger the right is the practical core of using it well.
This guide explains the grounds in plain language and the common reasons a request can be refused. It is general information, not legal advice.
The grounds that can trigger erasure
Under the UK GDPR, the right to erasure applies in a defined set of circumstances rather than on request alone. You do not need to recite the law to use it, but knowing the grounds helps you frame a clear, specific request — and understand when the right is likely to apply.
In broad terms, you can ask for erasure where one of these situations fits your case. Each is a recognised ground under Article 17.
- The personal data is no longer necessary for the purpose it was originally collected or used for.
- You withdraw consent that the processing relied on, and there is no other lawful basis for keeping the data.
- You object to the processing and the organisation has no overriding legitimate grounds to continue.
- The personal data has been processed unlawfully — that is, in breach of data-protection law.
- The data must be erased to comply with a legal obligation the organisation is subject to.
- The data was collected from a child in the context of an online service.
When a company can lawfully refuse
The right to erasure is not absolute. The UK GDPR sets out exemptions where an organisation can keep personal data even after you ask for it to be deleted, because another important interest applies. This is why no erasure request can be guaranteed to succeed — the decision rests with whoever holds the data, weighed against these exemptions.
Common reasons an organisation may lawfully decline include needing the data to exercise the right of freedom of expression and information, to comply with a legal obligation, for reasons of public interest in public health, for archiving, research or statistical purposes in the public interest, or to establish, exercise or defend legal claims. Where a refusal applies, the organisation should explain its reasons rather than simply going quiet.
If you ask for erasure and you are unhappy with how the organisation handles your request — whether it refuses without a clear reason or does not respond within the usual one calendar month — you have the right to complain to the data-protection regulator, the Information Commissioner's Office (ICO). You stay in control throughout: the choice of whether to ask, and what to ask to be deleted, is always yours. This is general information, not legal advice.
Frequently asked questions
Does a company have to delete my data if I ask?
Not in every case. The right to erasure under the UK GDPR (Article 17) applies in specific situations — for example where the data is no longer needed, or where you withdraw the consent the processing relied on. An organisation can lawfully keep data where an exemption applies, such as a legal obligation to retain it. Because the decision rests with whoever holds the data, no outcome can be guaranteed.
Is the right to erasure the same as the right to be forgotten?
They are two names for the same thing. The right to erasure is the term used in the UK GDPR (Article 17); the right to be forgotten is the more familiar everyday phrase. Both describe your right to ask an organisation to delete certain personal data it holds about you, in the circumstances the law sets out.
How long does a company have to respond to an erasure request?
Usually one calendar month from the date it receives your request and confirms your identity. For a complex request the deadline can be extended by up to two further months, but the organisation should tell you about the extension within the first month and explain why.
What can I do if my erasure request is refused?
First, look at the reason given — a refusal should come with an explanation, such as a legal obligation to keep the data. If you are still unsatisfied, you have the right to complain to the data-protection regulator. In the UK that is the Information Commissioner's Office (ICO), at ico.org.uk. Complaining is free and you can do it yourself.
Related terms
This is general information, not legal advice. For guidance on your own situation, consider speaking with a qualified professional.
Reviewed by OSINTA's founding lawyer — 2026-06-27.
Understand your footprint, then decide
OSINTA helps you see what's public about you and frame and route your own requests — you stay in control of every step. It does not delete data for you or promise an outcome.