Skip to content
NoReply
Back to Blog
Rights & Claims6 min read

How to Make Companies Delete Your Data: Your GDPR Rights Explained

Under UK GDPR, you have the right to be forgotten. Learn how to force companies to delete your personal data.

2 January 2025
Data privacy and security concept

Companies collect enormous amounts of data about you. Under UK GDPR, you have the "right to be forgotten" - the power to make them delete it. But companies often make this difficult. Here's how to actually get your data deleted.

Your Right to Be Forgotten

The UK GDPR (General Data Protection Regulation) gives you the right to have your personal data erased. This includes:

  • Your name, address, contact details
  • Account information
  • Purchase history
  • Browsing data and cookies
  • Photos and content you've uploaded
  • Messages and communications
  • Any data that identifies you

When Companies MUST Delete Your Data

Companies must comply with your deletion request when:

  1. The data is no longer needed for its original purpose
  2. You withdraw consent for processing you previously agreed to
  3. You object and there's no overriding legitimate reason to keep it
  4. The data was processed unlawfully
  5. Legal requirement to delete exists
  6. Data was collected from a child (under 13)

When They Can Refuse

Companies can legally refuse deletion if the data is needed for:

  • Legal claims - Defending against or making legal claims
  • Legal obligations - Tax records, financial regulations
  • Public health - Medical records in some cases
  • Public interest - Journalism, research, archiving
  • Freedom of expression - News articles about public figures

Step-by-Step: Making a Deletion Request

Step 1: Find Their Data Protection Contact

Look for:

  • Privacy policy (usually links to data protection email)
  • "Contact DPO" or "Data Protection Officer"
  • GDPR contact form

Most companies have a dedicated email like privacy@company.com or dpo@company.com.

Step 2: Write Your Request

Your request should include:

"Dear Data Protection Officer,

Under Article 17 of the UK GDPR, I am requesting the erasure of all personal data you hold about me.

My details for identification:

- Full name: [Your name]

- Email address: [Your email]

- Account number/username: [If applicable]

- Address: [Your address]

Please confirm within one month that:

1. All my personal data has been erased

2. Any third parties you shared my data with have been notified

3. This includes all backups and archives

If you are unable to comply with any part of this request, please provide specific reasons citing the relevant legal exemption.

Yours faithfully,

[Your name]"

Step 3: Send It Properly

  • Email is fine - Keep the sent email as proof
  • Record the date - The 1-month clock starts when they receive it
  • Request read receipt if possible

Step 4: Wait for Response

They have one calendar month to:

  • Delete your data, OR
  • Explain why they can't, OR
  • Ask for more time (up to 2 more months for complex requests)

Step 5: Chase If Needed

If they don't respond within a month:

  • Send a follow-up referencing your original request
  • Set a final deadline (7 days)
  • Warn you'll complain to the ICO

What to Do If They Ignore You

Step 1: Formal Complaint to the Company

Write again, escalating as a formal complaint:

"This is a formal complaint. You have failed to respond to my GDPR Article 17 deletion request dated [date]. This is a breach of data protection law. I require a response within 7 days or I will escalate to the Information Commissioner's Office."

Step 2: Complain to the ICO

The Information Commissioner's Office (ICO) is the UK data protection regulator.

How to complain:

  • Online: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Include all correspondence and dates

What the ICO can do:

  • Force the company to comply
  • Issue fines up to £17.5 million
  • Take enforcement action

Step 3: Legal Action

For serious cases, you can:

  • Sue for compensation (distress, damages)
  • Apply for a court order forcing deletion
  • Claim legal costs if you win

Common Excuses (And How to Counter Them)

"We need it for our records"

Counter: "Please specify which legal obligation requires you to retain my data and for how long. General business convenience is not a valid reason under GDPR."

"We need 28 days to process your request"

Counter: "GDPR allows one calendar month, not 28 business days. The deadline is [specific date]."

"You need to verify your identity first"

Counter: This is legitimate IF they ask for reasonable verification. But they can't use it to delay indefinitely. Provide ID and restart the clock.

"Your data has already been deleted"

Counter: "Please confirm this in writing and specify the date of deletion. Also confirm whether any data was shared with third parties and whether they have been notified."

"We can't delete everything"

Counter: "Please specify exactly which data you cannot delete and the legal basis for retention. All other data should be deleted immediately."

"We need it for legal claims"

Counter: This is only valid if there's an actual or anticipated legal dispute. Ask them to specify what claim they're referring to.

Special Situations

Social Media Accounts

  • Facebook: Settings > Your Facebook Information > Deactivation and Deletion
  • Instagram: Through Facebook settings (same parent company)
  • Twitter/X: Settings > Your Account > Deactivate
  • LinkedIn: Settings > Data Privacy > Get a copy of your data / Close account
  • TikTok: Settings > Manage Account > Delete Account

Note: "Deactivating" isn't the same as "deleting". Make sure you choose full deletion.

Google Data

Google has specific deletion tools:

  • myactivity.google.com (search history)
  • myaccount.google.com/delete-services-or-account
  • Request removal of personal info from search results

Marketing Databases

If you keep getting unwanted marketing:

  • Request deletion under GDPR
  • Register with the Mailing Preference Service (MPS)
  • Register with the Telephone Preference Service (TPS)
  • Opt out of marketing separately from your deletion request

Old Accounts You've Forgotten

Sites like justdelete.me and accountkiller.com list direct deletion links for hundreds of services.

Your Rights Are Stronger Than You Think

Companies rely on people not knowing their rights or giving up. But GDPR is the law, and the ICO can issue serious fines. Don't be fobbed off.

Key Points to Remember:

  1. One month deadline - They can't drag it out indefinitely
  2. No fees - They can't charge you
  3. Specific refusal required - Vague excuses aren't good enough
  4. ICO has teeth - Fines of millions are possible
  5. You can sue - For damages and distress

Take control of your data. Use our GDPR Request Generator to create a legally-compliant deletion request, then follow up until it's done.

Related Topics

gdprdata-protectionprivacyright-to-erasureicopersonal-data

Share this article:

TwitterLinkedIn
N

NoReply Team

Consumer rights experts dedicated to helping you get what you deserve.

More Articles You Might Like

Online shopping packages and boxes
Rights & Claims5 min

Your 14-Day Online Shopping Return Rights Explained

Changed your mind about an online purchase? UK law gives you powerful rights to return items. Here's everything you need to know.

9 Jan 2025
Shopping bags and receipts
Rights & Claims5 min

Bought Something Broken? Your Complete Guide to Refunds

UK law gives you powerful rights when goods are faulty. Here's the definitive guide to getting your money back.

6 Jan 2025
Legal scales and books
Rights & Claims6 min

The Consumer Rights Act 2015: Your Complete Guide

Everything you need to know about the law that protects UK consumers when buying goods and services.

10 Dec 2024

Ready to fight back?

Create your free complaint in minutes. We'll help you get the outcome you deserve.

Start Your Free Complaint