UK Right to Erasure (Right to Be Forgotten)
The UK right to erasure, popularly called the "right to be forgotten", lets you ask an organisation to delete your personal data in defined circumstances under Article 17 of the UK GDPR. It is not an absolute right, and a controller has one calendar month to respond.
For the full UK framework, see our United Kingdom data privacy laws overview.
What the right to erasure actually covers
The right to erasure is set out in Article 17 of the UK GDPR, supplemented by the Data Protection Act 2018. The Information Commissioner's Office (ICO) is clear that this is a qualified right, not a guarantee that any data will be deleted whenever you ask. It only bites when one of the specific Article 17(1) grounds is made out, and even then several exemptions can override it. The right also overlaps with, but is distinct from, the rights to rectification, to restrict processing, and to object. An erasure request does not have to use the words "erasure" or cite Article 17; the ICO treats any clear request to delete personal data as engaging the right, so organisations must recognise informal requests and route them correctly.
Watch out: erasure is about your personal data, not about removing accurate published information from the internet at large. Deleting a record from a controller's files is a different act from removing a result from a search engine, which follows the delisting route discussed below.
The grounds: when you can demand erasure
Article 17(1) lists six grounds, and at least one must apply before a controller is obliged to delete. The data is no longer necessary for the purpose it was collected for; you withdraw consent where consent was the lawful basis and there is no other basis; you object to processing under Article 21 and there are no overriding legitimate grounds (or you object to direct marketing, which is an absolute objection); the data has been unlawfully processed; the data must be erased to comply with a legal obligation; or the data was collected from a child in relation to online services under Article 8. The ICO notes that erasure linked to a withdrawal of consent or a successful objection is the most common route for members of the public.
| Article 17(1) ground | Plain meaning |
|---|---|
| (a) No longer necessary | Purpose is fulfilled or expired |
| (b) Consent withdrawn | Consent was the basis and no other basis applies |
| (c) Objection upheld | Article 21 objection with no overriding grounds, or direct marketing |
| (d) Unlawful processing | Processed in breach of the UK GDPR |
| (e) Legal obligation | Domestic law requires deletion |
| (f) Child's data online | Collected from a child via information society services |
The exceptions: when a controller can refuse
Article 17(3) sets out the exemptions where the right does not apply even if a ground is made out. A controller can lawfully keep the data where processing is necessary for exercising the right of freedom of expression and information (which the ICO explains covers journalism and academic, artistic and literary purposes); for compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority; for public-health reasons under Article 9(2)(h)-(i); for archiving in the public interest, scientific or historical research, or statistical purposes, where erasure would seriously impair that work; or for the establishment, exercise or defence of legal claims. The ICO gives the example that a business can refuse to delete records it must keep to comply with financial or other regulations.
Watch out: the freedom-of-expression exemption is why a news organisation can usually decline to delete a lawful, accurate report. A separate question is whether a search engine should still link your name to that report, which is governed by delisting, not by Article 17 erasure against the publisher.
How to make a request and the one-month clock
The ICO confirms you can make a request verbally or in writing, and to any part of the organisation, though putting it in writing creates a clear record. The controller must act without undue delay and respond within one calendar month of receipt. That period can be extended by up to two further months where the request is complex or where you have made a number of requests, provided the controller tells you within the first month and explains why. Erasure is generally free. A controller can charge a reasonable administrative fee, or refuse, only where a request is manifestly unfounded or excessive, for example where it is clearly repetitive or made to harass. Under Article 19, a controller that erases data must also take reasonable steps to tell other recipients it has disclosed the data to, so they can erase it too.
Search-engine delisting: Google Spain and NT1 and NT2
Delisting is the part of the "right to be forgotten" people most often have in mind, and it has its own legal lineage. In Google Spain SL v AEPD and Costeja Gonzalez (C-131/12), decided on 13 May 2014, the Court of Justice of the EU held that a search engine operator is a data controller and can in principle be required to remove links to information about a person from results returned for a search on their name, even where the underlying page stays online. That ruling remains influential in the UK as retained case law.
The first English application came in NT1 and NT2 v Google LLC [2018] EWHC 799 (QB), decided by Mr Justice Warby on 13 April 2018 with the Information Commissioner intervening. Two businessmen, anonymised as NT1 and NT2, asked Google to delist results referring to their past convictions. The court reached opposite results. NT1's claim failed: the judge found he had shown little remorse, had continued in business, and that information about his conviction remained relevant to the public's assessment of his honesty. NT2's claim succeeded and Warby J ordered delisting, finding his conviction information had become out of date and of no sufficient legitimate interest to searchers. The case shows that delisting turns on a fact-specific balance of public interest against privacy, not on the age of the data alone.
If a controller refuses
A controller that declines an erasure request must, under the UK GDPR, tell you why and inform you of your right to complain to the ICO and to seek a judicial remedy. The ICO's guidance for the public advises raising the issue with the organisation first to give it a chance to put things right. If you remain dissatisfied, or the organisation does not respond, you can complain to the ICO, which can investigate and, where appropriate, take regulatory action. The ICO asks that you raise a complaint within three months of your last meaningful contact with the organisation, and provide a copy of your original request and the organisation's response. You also retain the option of court proceedings to enforce your rights or claim compensation for any damage caused, which is the route the claimants used in NT1 and NT2.
Frequently Asked Questions
Is the right to be forgotten the same as the right to erasure in the UK?
In everyday use the terms are treated as the same thing, and Article 17 of the UK GDPR is headed 'Right to erasure (right to be forgotten)'. Strictly, the right to erasure is your right to ask a controller to delete personal data it holds about you, while 'right to be forgotten' is often used loosely to include the separate process of asking a search engine to delist results for searches on your name. The two are governed by different legal tests, so it helps to be specific about which one you mean.
What are the grounds for requesting erasure under UK GDPR Article 17?
There are six grounds in Article 17(1): the data is no longer necessary for the purpose it was collected for; you withdraw consent and there is no other lawful basis; you object to the processing under Article 21 and there are no overriding legitimate grounds, or you object to direct marketing; the data was processed unlawfully; deletion is required to comply with a legal obligation; or the data was collected from a child for online services. At least one of these must apply before a controller is obliged to erase.
When can an organisation refuse to delete my data?
Article 17(3) lists the main exemptions. A controller can refuse where keeping the data is necessary for freedom of expression and information (including journalism and academic, artistic and literary work), to comply with a legal obligation or perform a public-interest task, for public-health reasons, for archiving in the public interest or scientific, historical or statistical research, or for the establishment, exercise or defence of legal claims. A request can also be refused if it is manifestly unfounded or excessive.
How long does an organisation have to respond to an erasure request?
The controller must respond without undue delay and within one calendar month of receiving the request. It can extend that by up to two further months where the request is complex or you have made several requests, but it must tell you within the first month and explain why. Responding is normally free of charge.
Do I have to put my erasure request in writing?
No. The ICO confirms a request can be made verbally or in writing, and to any part of the organisation. You do not need to mention Article 17 or use the word 'erasure', as long as it is clear you want your data deleted. Putting the request in writing is sensible because it gives you a dated record to rely on if you later need to complain.
How do I get my name removed from Google search results in the UK?
Delisting is a separate route from an erasure request to the original publisher. Following Google Spain (C-131/12), you can ask a search engine to remove links returned for a search on your name where the information is inadequate, irrelevant or excessive. The search engine balances your privacy against the public interest in finding the information. The English case NT1 and NT2 v Google LLC [2018] EWHC 799 (QB) shows delisting succeeds in some cases and not others depending on the facts.
What was decided in NT1 and NT2 v Google?
In NT1 and NT2 v Google LLC [2018] EWHC 799 (QB), Mr Justice Warby heard two businessmen seeking to delist results about their past convictions. NT1's claim failed because he had shown little remorse, remained in business, and the conviction stayed relevant to public assessment of his honesty. NT2's claim succeeded and the court ordered delisting because his conviction information had become out of date and of no sufficient continuing public interest. It was the first English decision applying the Google Spain delisting principle.
What can I do if a company refuses to delete my data?
First raise the issue with the organisation and ask it to reconsider, as it must explain its reasons and tell you about your right to complain. If you are still dissatisfied, you can complain to the Information Commissioner's Office, normally within three months of your last meaningful contact, supplying your original request and the organisation's reply. You can also pursue court proceedings to enforce your rights or seek compensation for damage caused.
Sources and References
- UK GDPR (Regulation (EU) 2016/679) Article 17, Right to erasure (right to be forgotten)(legislation.gov.uk).gov
- ICO, Right to erasure guidance (grounds, exemptions, one-month response, manifestly unfounded requests)(ico.org.uk).gov
- ICO, Your right to get your data deleted (public guidance)(ico.org.uk).gov
- ICO, Make a complaint (how to complain about an organisation's handling of your data)(ico.org.uk).gov
- NT1 & NT2 v Google LLC [2018] EWHC 799 (QB), Warby J, 13 April 2018 (approved judgment)(judiciary.uk).gov
- Google Spain SL v AEPD and Costeja Gonzalez, Case C-131/12, CJEU, 13 May 2014(eur-lex.europa.eu).gov
- Data Protection Act 2018(legislation.gov.uk).gov