Right to erasure

Does an organisation not have a good reason (anymore) to process someone's personal data any longer? Then it is important that the organisation erases these data. But note: often it is not possible for an organisation to erase all personal data.

When erasure is and is not possible

An organisation is obliged to erase someone's personal data in the following situations:

• The organisation no longer needs the personal data for the purpose for which the organisation collected the data or for which the organisation processes the data.
• The person in question gave consent to the organisation for the use of the data at an earlier time, but withdraws that consent now.
• The person (rightly) objects to the use of the data.
• The organisation fails to comply with the privacy rules when using the personal data. For example, because there is no legal basis for processing.
• The organisation is obliged by law to erase the data after a specific period of time.
• Apps and websites and children: the personal data of a child aged under 16 have been collected through an app or a website.

Note: In these situations, the organisation is not allowed to process the data any longer in any case. Even if the person does not ask for erasure of the personal data. So if an organisation does everything by the book, no one will have to make a request for erasure of data.

The right to erasure does not apply in the following situations:

• The data processing is necessary for exercising the right to freedom of speech and information. By making this exception, the GDPR does justice to the principle that ‘privacy’ and ‘freedom of speech’ are equivalent fundamental rights.
• The organisation processes the data because there is a legal obligation to do so.
• The organisation processes the data for the performance of a task (laid down by law) carried out in the public interest or in the exercise of official authority.
• The organisation processes the data for a task of public interest in the area of public health.
• The organisation has to archive the data in the public interest.
• The data are necessary for a legal claim.

In addition, the GDPR contains some general exceptions to the privacy rights. As a result, an organisation can also reject someone's request in a special case. It is, for example, not the intention that someone relies on the right to erasure for erasing traces of criminal conduct.

Asking for erasure of data

Do you want an organisation to erase your personal data? Send that organisation an email or a letter. Indicate in this email or letter which data you want to have erased. You can use the removal of data example letter (in Dutch) of the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, for your request.

At Using your privacy rights, you can read about what to do if you want to ask for erasure of data. And what you can expect from the organisation then. 

Response to a request

The organisation has to give a response to your request within 1 month.

• Does the organisation decide to erase your data? Then the organisation will have to do this as soon as possible. That is within 1 month at the latest.
• Does the organisation decide not to erase (all of) your data? Then the organisation will have to let you know why not. Read what you can do if you do not agree with the refusal.
• Does the organisation not respond within 1 month? Read what you can do if the organisation does not respond.

Informing other organisations

Has the organisation erased your personal data? And did the organisation pass on your data to other organisations in the past year? Then the organisation will have to inform these other organisations that it has erased your data. And that they have to erase every copy of or link to your personal data.

Do you want to know whom the organisation has informed about the erasure of your data? Then you can ask the organisation. The organisation is obliged to answer your question.

For organisations: right to erasure in practice

Do you, as an organisation, receive a request for erasure of data? Take a look at For organisations: privacy rights in practice to see what you have to do to handle the request in accordance with the rules (among other things: verify the requester's identity, reply period). In addition, the following particulars apply for the right to erasure:

• determine which data you have to erase;
• also erase the data from backups;
• consider the reply period;
• give a specific reply to the requester;
• also inform other organisations of cases of urgency.

Determine which data you have to erase

Determine which personal data you have and do not have to erase. For example, legal obligations may apply as a result of which you have to continue retaining certain personal data. In addition, the GDPR contains some general exceptions to the privacy rights. These enable you to reject a request in a special case. It is, for example, not the intention that someone relies on the right to erasure for erasing traces of criminal conduct.

Also erase the data from backups

Backups also fall under the right to erasure. If you receive a request for erasure of personal data, you will therefore also have to erase these data from your backups as soon as possible. Do you have backups that cannot or cannot easily be overwritten, such as tapes? Then you cannot erase the personal data from the backups. Make sure that you keep proper records of which personal data you should have erased. Is restoring a backup necessary? Then you will have to erase these data when you do this.

Consider the reply period

Did the requester report the sharing of the personal data to the police? For example, in the case of revenge porn? Consider then if you can handle the request with more urgency.

Give a specific reply to the requester

When replying to the requester, be as specific as possible about how you will respond to the request. Some people will ask for proof that you have actually erased their personal data. Because you obviously cannot show which personal data you do not have (anymore), it is particularly important that you provide sufficient information in your response to ensure that the requester can be confident that you have carried out the request correctly.

Indicate, for example, which personal data you have erased and when you did this. Also indicate which personal data you did not erase, why not, and when you will be doing this.

Also inform other organisations of urgent cases

When informing other organisations about the personal data erased by you, also mention it if the person in question has made a report to the police. That way, you ensure that these organisations also know that it is important to erase the personal data as soon as possible.