Data Access Requests
      Back to home
      1. Knowledge Centre
      2. Data Access Requests

      Right to Request Data Deletion

      Under the General Data Protection Regulation (GDPR), individuals (data subjects) have the right to request the deletion of their personal data.

      This right, also known as the "right to be forgotten," allows individuals to ask organizations to erase their personal data when certain conditions are met, such as:
      1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
      2. The individual withdraws consent on which the processing is based, and there is no other legal ground for the processing.
      3. The individual objects to the processing and there are no overriding legitimate grounds for the processing.
      4. The personal data has been unlawfully processed.
      5. The personal data must be erased to comply with a legal obligation.

      Required Responses and Timelines

      Upon receiving a data deletion request, the company must:

      1. Acknowledge receipt of the request as soon as possible at the latest within one month of receipt. This period can be extended by two further months if the request is complex or numerous. In such cases, you must inform the individual within one month of receiving the request and explain why the extension is necessary.
      2. Verify the identity of the individual making the request to ensure it is legitimate.
      3. Assess the request against the conditions outlined above.

      Actioning the Request

      If the conditions for deletion are met, you should:
      1. Delete or anonymize all personal data you hold on the individual, unless an exemption applies (see below).
      2. Inform the individual that their data has been deleted and confirm the action taken.

      Exemptions Under Article 17(3)

      There are specific exemptions under which you may refuse to comply with a data deletion request:
      1. Freedom of Expression and Information: If the data is necessary for exercising the right of freedom of expression and information, e.g. data necessary for journalism, academia, or artistic purposes.
      2. Compliance with a Legal Obligation: If the data must be retained to comply with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, e.g. a financial institution is required to retain customer transaction data for a certain number of years to comply with anti-money laundering regulations
      3. Public Health: If the deletion would hinder the performance of a task carried out for public health purposes in the public interest, e.g. health authorities retain patient data for monitoring and controlling the spread of infectious diseases
      4. Archiving, Research, or Statistics: If the data is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, and erasure is likely to render impossible or seriously impair the achievement of those purposes.
      5. Legal Claims: If the data is necessary for the establishment, exercise, or defense of legal claims, e.g. a company retains employee records that are relevant to an ongoing lawsuit regarding employment discrimination
      If an exemption applies, you should inform the individual of the reason why their request cannot be fully complied with.

      To summarize:

      1. Acknowledge and verify the request promptly.
      2. Assess the request to determine if it meets the conditions for deletion.
      3. Respond within one month, with a possible extension of up to two further months if needed.
      4. Delete or anonymize the data, unless an exemption applies, and inform the individual of the action taken.