Right to removal of data

In some situations, organisations are obliged to remove (erase) personal data of someone if that person asks for this. People have the right to removal of data. This is called the 'right to erasure of data' or the 'right to be forgotten' in the GDPR.

Does an organisation not have a good reason (anymore) to process someone's personal data any longer? Then it is important that the organisation removes these data. But note: often it is not possible for an organisation to remove all personal data.

On this page

When removal is and is not possible

An organisation is obliged to remove someone's personal data in the following situations:

  • The organisation no longer needs the personal data for the purpose for which the organisation collected the data or for which the organisation processes the data.
  • The person in question gave consent to the organisation for the use of the data at an earlier time, but withdraws that consent now.
  • The person (rightly) objects to the use of the data.
  • The organisation fails to comply with the privacy rules when using the personal data. For example, because there is no legal basis for processing.
  • The organisation is obliged by law to remove the data after a specific period of time.
  • Apps and websites and children: the personal data of a child aged under 16 have been collected through an app or a website.

Note: In these situations, the organisation is not allowed to process the data any longer in any case. Even if the person does not ask for removal of the personal data. So if an organisation does everything by the book, no one will have to make a request for removal of data.

The right of removal of data does not apply in the following situations:

  • The data processing is necessary for exercising the right to freedom of speech and information. By making this exception, the GDPR does justice to the principle that ‘privacy’ and ‘freedom of speech’ are equivalent fundamental rights.
  • The organisation processes the data because there is a legal obligation to do so.
  • The organisation processes the data for the performance of a task (laid down by law) carried out in the public interest or in the exercise of official authority.
  • The organisation processes the data for a task of public interest in the area of public health.
  • The organisation has to archive the data in the public interest.
  • The data are necessary for a legal claim.

In addition, the GDPR contains some general exceptions to the privacy rights. As a result, an organisation can also reject someone's request in a special case. It is, for example, not the intention that someone relies on the right to removal of data for erasing traces of criminal conduct.

Asking for removal of data

Do you want an organisation to remove your personal data? Send that organisation an email or a letter. Indicate in this email or letter which data you want to have removed. You can use the removal of data example letter of the Dutch Data Protection Authority for your request.

At Using your privacy rights, you can read about what to do if you want to ask for rectification. And what you can expect from the organisation then. For example: the organisation has to verify your identity first.

Response to a request

The organisation has to give a response to your request within 1 month.

  • Does the organisation decide to remove your data? Then the organisation will have to do this as soon as possible. That is within 1 month at the latest.
  • Does the organisation decide not to remove (all of) your data? Then the organisation will have to let you know why not. Read what you can do if you do not agree with the refusal.
  • Does the organisation not respond within 1 month? Read what you can do if the organisation does not respond.

Informing other organisations

Has the organisation removed your personal data? And did the organisation pass on your data to other organisations in the past year? Then the organisation will have to inform these other organisations that it has removed your data. And that they have to remove every copy of or link to your personal data.

Do you want to know whom the organisation has informed about the removal of your data? Then you can ask the organisation. The organisation is obliged to answer your question.

For organisations: right to removal of data in practice

Do you, as an organisation, receive a request for removal of data? Take a look at For organisations: privacy rights in practice to see what you have to do to handle the request in accordance with the rules (among other things: verify the requester's identity, reply period). In addition, the following particulars apply for the right of removal of data:

  • determine which data you have to remove;
  • also remove the data from backups;
  • consider the reply period;
  • give a specific reply to the requester;
  • also inform other organisations of cases of urgency.

Determine which data you have to remove

Determine which personal data you have and do not have to remove. For example, legal obligations may apply as a result of which you have to continue retaining certain personal data. In addition, the GDPR contains some general exceptions to the privacy rights. These enable you to reject a request in a special case. It is, for example, not the intention that someone relies on the right to removal of data for erasing traces of criminal conduct.

Also remove the data from backups

Backups also fall under the right to be forgotten. If you receive a request for removal of personal data, you will therefore also have to remove these data from your backups as soon as possible. Do you have backups that cannot or cannot easily be overwritten, such as tapes? Then you cannot remove the personal data from the backups. Make sure that you keep proper records of which personal data you should have removed. Is restoring a backup necessary? Then you will have to remove these data when you do this.

Consider the reply period

Did the requester report the sharing of the personal data to the police? For example, in the case of revenge porn? Consider then if you can handle the request with more urgency.

Give a specific reply to the requester

When replying to the requester, be as specific as possible about how you will respond to the request. Some people will ask for proof that you have actually removed their personal data. Because you obviously cannot show which personal data you do not have (anymore), it is particularly important that you provide sufficient information in your response to ensure that the requester can be confident that you have carried out the request correctly.

Indicate, for example, which personal data you have removed and when you did this. Also indicate which personal data you did not remove, why not, and when you will be doing this.

Also inform other organisations of urgent cases

When informing other organisations about the personal data removed by you, also mention it if the person in question has made a report to the police. That way, you ensure that these organisations also know that it is important to remove the personal data as soon as possible.