Right to Erasure (Right to be Forgotten)

Under Article 17 of UK GDPR, you have the right to request erasure of your personal data when one of the following grounds applies:

• The personal data is no longer necessary for the purpose it was originally collected or processed.
• You withdraw consent on which the processing was based, and there is no other legal ground for processing.
• You object to the processing under the right to object, and there are no overriding legitimate grounds for continued processing.
• The personal data has been unlawfully processed — i.e., processed without a valid legal basis.
• The personal data must be erased to comply with a legal obligation in UK or EU law applicable to the controller.
• The personal data was collected in relation to the offer of information society services to a child (online services), where parental consent was required.

The right to erasure is not absolute. Organisations can refuse to comply where the processing is necessary for:

• Exercising the right of freedom of expression and information — including journalism and public interest material about public figures or matters of public concern.
• Compliance with a legal obligation — for example, a bank must retain financial records for a statutory minimum period even if you request deletion.
• Performance of a task carried out in the public interest — including archiving in the public interest, scientific or historical research, or statistical purposes.
• The establishment, exercise, or defence of legal claims — organisations involved in or anticipating litigation may retain data necessary to defend themselves.
• Public health purposes

If an organisation refuses your erasure request, they must explain which exemption applies and how it is relevant to your specific data.

A specific application of the right to erasure is requesting that search engines de-index search results that link to pages containing outdated, irrelevant, or damaging information about you. Both Google and Bing have online request forms for UK users.

Search engines balance your right to erasure against the public's right to access information. De-indexing is more likely to be granted where the information is:

• No longer accurate or up to date (e.g., an old criminal conviction that is now spent)
• Irrelevant to your current public role or activities
• Disproportionately damaging given your status as a private individual

De-indexing removes the page from search results but does not delete the underlying content from the website hosting it — you may need to contact the site directly as well.

To submit an erasure request:

1. Write to the organisation's Data Protection Officer (DPO) or data controller, clearly stating that you are exercising your right to erasure under Article 17 of UK GDPR.
2. Specify exactly which data you want deleted and, if relevant, the ground on which you are relying (e.g., "the data is no longer necessary" or "I am withdrawing my consent").
3. The organisation has one month to respond. They must either confirm erasure, explain which exemption applies, or ask for clarification.
4. If the organisation refuses without adequate justification, complain to the ICO or apply to a court under Section 167 of the DPA 2018 for a compliance order.