Right to Be Forgotten (Right to Erasure) in the UK

The "right to be forgotten" is the right to erasure under Article 17 UK GDPR. It is not absolute: it only applies on specific grounds, comes with several exemptions, and does not guarantee your data disappears from every corner of the internet.
What Is the Right to Be Forgotten?
"Right to be forgotten" is the everyday name for the right to erasure, the formal right set out in Article 17 of the UK GDPR. It lets you ask an organisation that holds your personal data to delete it. The name suggests something sweeping, but the legal right is narrower and more conditional than it sounds: it only applies where one of a specific list of grounds is met, and an organisation can lawfully refuse if one of a separate list of exemptions applies.
The right sits alongside, but is distinct from, your right to get a copy of your data (the subject access request) and your right to object to certain processing. See the subject access request guide and the UK GDPR overview for how erasure fits into the wider set of rights.
When You Can Ask for Erasure: The Grounds
An erasure request only has to be granted where at least one of these grounds under Article 17(1) applies:

- The personal data is no longer necessary for the purpose it was originally collected or processed for.
- You withdraw the consent the processing relied on, and there is no other lawful basis for the organisation to keep processing it.
- You object to the processing (using your right to object) and there is no overriding legitimate ground for the organisation to continue, or your objection relates to direct marketing, in which case erasure follows automatically.
- The data has been processed unlawfully.
- Erasure is required to comply with a legal obligation the organisation is subject to.
- The data was collected in connection with an online ("information society") service offered directly to a child.
If none of these grounds apply, an organisation is not obliged to erase your data simply because you would prefer it gone. This is the main reason the "right to be forgotten" is weaker in practice than its name implies.
When an Organisation Can Refuse: The Exemptions
Even where a ground above applies, Article 17(3) lets an organisation refuse erasure, or erase only part of the data, where the processing is necessary for one of these reasons:
- Exercising the right of freedom of expression and information, including journalistic, academic, artistic or literary purposes.
- Compliance with a legal obligation, or for the performance of a task carried out in the public interest or in the exercise of official authority.
- Reasons of public interest in the area of public health.
- Archiving purposes in the public interest, or scientific, historical research or statistical purposes, where erasure would be likely to seriously impair or prevent achieving those objectives.
- The establishment, exercise or defence of legal claims.
These exemptions explain why, for example, a news organisation can usually keep a factually accurate article online despite an erasure request, why a business may need to retain records to meet its own legal or tax obligations, and why data relevant to an ongoing legal dispute does not have to be deleted on request.
How to Make an Erasure Request
There is no prescribed form. You can make a request verbally or in writing, including by email or through a webform if the organisation provides one, and you do not have to use the words "right to erasure" or cite Article 17 for it to count as a valid request, though doing so helps make your intent clear. It is sensible to identify yourself clearly, describe the data you want deleted, and explain why you believe a ground for erasure applies.

The organisation must respond within one month of receiving a valid request, the same core timeframe that applies to a subject access request, and this can be extended by up to two further months for complex or numerous requests, with the organisation telling you within the first month if it needs the extension. There is normally no fee for making the request itself.
If the organisation agrees, it must also take reasonable steps to tell other controllers it knows are processing the same data, where it made that data public, so they are aware an erasure request has been made. It does not, however, guarantee that every downstream copy is found and removed.
Search Engines and Delisting
Asking a search engine such as Google to remove a search result is a different process from asking the website that published the data to delete it. This distinction traces back to the principle established in the CJEU's Google Spain ruling, that a search engine can itself be responsible for delisting a result under data protection law, separately from whether the underlying page stays online.
In practice this means two separate requests may be needed: one to the website hosting the content, and, if that does not resolve the issue, a separate request submitted directly to the search engine asking it to delist the specific search result from searches for your name. Delisting removes the page from that search engine's results; it does not delete the original page, and the content can still be found through other search engines, direct links, or by searching different terms.
What If Your Request Is Refused?
If an organisation refuses to erase your data, or does not respond within the required timeframe, it should explain its reasons, including which exemption it is relying on if that is the basis for refusal. If you disagree with the outcome, the next step is to complain to the organisation directly using its own complaints process, and if that does not resolve things, to complain to the ICO. See the ICO complaint guide for how that process works. You also have the option of applying to a court, though most people raise the ICO complaint route first.

A UK erasure request does not guarantee your data will disappear everywhere. It obliges the specific organisation you contacted, and any other controllers it is required to notify, but it cannot reach copies held by third parties who were never told, cached or archived versions, screenshots, backups, or services based outside the UK's regulatory reach. Treat erasure as a right to have a specific controller stop holding your data on valid grounds, not as a way to make information vanish from the internet entirely.
This article is for general information only and is not legal advice. Whether a particular request meets a ground for erasure, or whether an organisation can lawfully rely on an exemption, depends on the specific facts, so anyone unsure should seek independent advice or contact the ICO directly. For the wider picture of UK data protection rights, see the UK Data Privacy hub and the United Kingdom hub.
Frequently Asked Questions
What is the right to be forgotten in the UK?
It is the everyday name for the right to erasure under Article 17 UK GDPR, which lets you ask an organisation to delete personal data it holds about you, but only where one of a specific list of grounds applies.
Can I always ask a company to delete my data?
No. The right only applies where a specific ground under Article 17(1) is met, such as the data no longer being necessary, withdrawn consent, unlawful processing, a successful objection, a legal duty to erase, or data collected from a child for an online service. It is not a general right to have any data deleted on request.
What if the organisation relies on an exemption to refuse?
Article 17(3) lets an organisation refuse erasure where processing is necessary for freedom of expression and journalism, a legal obligation or public-interest task, public health, public-interest archiving or research, or establishing, exercising or defending legal claims. The organisation should tell you which exemption it is relying on.
How long does an organisation have to respond to an erasure request?
One month from a valid request, the same as a subject access request, extendable by up to two further months for complex or numerous requests, provided the organisation tells you within the first month that it needs the extra time.
Does erasure remove my data from Google search results too?
Not automatically. Removing content from a website and delisting a search result are separate processes. If the website will not remove the underlying page, you can separately ask the search engine to delist that specific result from name searches, but the original page can remain online and findable in other ways.
What can I do if my erasure request is refused?
Ask the organisation to explain its reasoning and which ground or exemption applies. If you are not satisfied, complain to the organisation through its own complaints process, then to the ICO if that does not resolve it. Going to court is also an option.
Does erasure guarantee my data disappears everywhere?
No. It only obliges the organisation you contacted, and any other controllers it must notify where it made the data public. Copies held by parties never told, cached pages, screenshots, backups and services outside UK regulatory reach may still exist.
Sources and References
- ICO: Right to erasure guidance(ico.org.uk).gov
- ICO: Your right to get your data deleted(ico.org.uk).gov
- legislation.gov.uk: UK GDPR Article 17 (Right to erasure)(legislation.gov.uk).gov
- ICO: Make a complaint(ico.org.uk).gov
- gov.uk: Data protection(gov.uk).gov