Right to be forgotten — Article 17 GDPR
The "right to be forgotten" — formally, the right to erasure under Article 17 GDPR — gives you the power to require an organisation to delete personal data it holds about you in specific circumstances. It is not absolute. It does not apply to every kind of data. But it is real, enforceable, and free to exercise. This page covers when it applies, when it doesn't, and how to use it.
The short version
- The right exists under Article 17 GDPR + the Data Protection Act 2018.
- It applies to personal data — anything that identifies you, directly or indirectly.
- It applies in six specific circumstances (below). Outside those, the organisation can refuse — lawfully.
- Organisations have one month to respond.
- Refusal is appealable to the Data Protection Commission. See DPC complaints.
When the right applies
You can require erasure in these six situations (Article 17(1) GDPR):
| Situation | Example |
|---|---|
| 1. The data is no longer needed for the purpose it was collected | You closed an old account; the company still has years of your data. |
| 2. You withdraw the consent you originally gave | You consented to marketing emails years ago and now withdraw — they should delete the marketing-purpose data. |
| 3. You object to processing and there's no overriding legitimate basis | You object to profiling for direct marketing — they must stop and delete. |
| 4. The data has been unlawfully processed | The organisation collected it without a lawful basis in the first place. |
| 5. Erasure is required to comply with a legal obligation | A specific law requires deletion (e.g. spent convictions in some contexts). |
| 6. The data was collected from a child for an online service offered to children | Special protection where the original consent was given by or for a child. |
When the right does NOT apply (Article 17(3))
Erasure can be lawfully refused if processing is necessary for:
- Freedom of expression and information. Journalism, academic research, art, literature.
- A legal obligation the organisation is subject to (e.g. tax records that must be retained for 6 years).
- The performance of a task in the public interest or exercise of official authority.
- Public-health purposes.
- Archiving in the public interest, scientific or historical research, statistical purposes — where erasure would seriously impair achievement of those purposes.
- The establishment, exercise or defence of legal claims.
In practice this means that an organisation holding your data because the law requires them to (banking transaction records, employer tax records, social-welfare records of benefits paid) can lawfully refuse erasure even when you ask. Whether their refusal is correct on the facts is itself reviewable by the DPC.
The most common myth — "right to be forgotten" is broader than it is
The right to erasure is not a right to wipe yourself from the internet. It is not a right to require Google to delete search results in every case. (The narrower "right to delisting" against search engines, established in the Google Spain case, is a separate and narrower right.) And it is not a right to require a news organisation to delete an article about you.
Useful framing: the right is "delete the personal data you hold about me in circumstances where you have no continued lawful basis", not "remove all traces of my past".
How to file an erasure request
Identify the organisation and their DPO contact
Usually a published email like
dpo@<organisation>.ieorprivacy@<organisation>.ie. Look in their privacy policy.Be specific about what you want erased
"All personal data" is acceptable but it makes the request easier to refuse on completeness grounds. Better: "All personal data, including marketing-purpose data, account history, and any analytics or profiling data linked to my account."
State which Article 17 ground applies
(1) no longer needed, (2) consent withdrawn, (3) objection without overriding legitimate basis, etc. You don't have to be a lawyer about it; just point to which situation applies to you.
Send by email; keep the timestamp
Starts the one-month clock.
Erasure request template
To: [Data Protection Officer / Privacy Officer]
[Organisation name]
[DPO email]
Subject: Erasure Request under Article 17 GDPR
Dear Data Protection Officer,
I am writing to make a request for erasure of my personal data under
Article 17 of the General Data Protection Regulation (GDPR).
The basis for my request is:
[Pick the applicable ground:]
☐ The personal data is no longer necessary for the purpose it was
originally collected (Article 17(1)(a)).
☐ I withdraw the consent on which the processing is based, and there
is no other legal ground for the processing (Article 17(1)(b)).
☐ I object to the processing under Article 21 and there are no
overriding legitimate grounds (Article 17(1)(c)).
☐ The personal data has been unlawfully processed (Article 17(1)(d)).
☐ Other — please specify.
Please erase:
[Be specific. Examples:]
- All personal data held about me by your organisation.
- All marketing-purpose data, including profile, preferences and
analytics records linked to my account.
- All data collected after [specific date].
- The specific data items: [list].
My identifying details:
Full name: [your full legal name]
Email on the account: [registered email]
Account / customer
reference (if any): [identifier]
Address (if needed): [address]
Please respond within one month, as required by Article 12(3) GDPR.
Where you decline this request in whole or in part, please cite the
specific exemption under Article 17(3) GDPR you are relying on and
provide reasons.
Yours sincerely,
[Your name]
[Date]
What happens after you file
- One month to respond. Extendable to three months total only in genuinely complex cases, with notification to you within the first month.
- If they erase — they should confirm what was erased and from which systems (including backups; though backups have a longer practical timeline).
- If they refuse — they must give specific reasons and cite the exemption they're relying on. You can challenge through the DPC.
- If they don't respond at all — that's a separate Article 12 breach. Complain to the DPC.
The Department of Social Protection / MyGovID case
Erasure requests against state bodies are legally more complex because state bodies often have a statutory obligation to retain data (e.g. social-welfare records for audit, tax records for the statutory limitation period). A request to "erase my MyGovID" specifically may be refused on the ground that the underlying identity record is required for the Department's statutory functions, even though the MyGovID account itself can be closed.
If your concern is that data is being retained longer than necessary — particularly identity-document images submitted at SAFE registration — that's exactly the issue the DPC found problematic in 2019. See DPC ruling explained.
Backups
Erasure from live systems is usually possible quickly. Erasure from backups takes longer — backups are designed to be immutable, so the standard practice is that the data is marked for non-restoration and eventually rolls out of the backup window naturally. Organisations should explain their backup-handling in any erasure response.
Related
- Your data rights — overview
- Subject Access Request template — file an SAR first to see what's actually held; makes the erasure request more precise.
- DPC complaints — if your erasure request is refused or ignored.