Right to be Forgotten Request (UK)

A Right to be Forgotten Request in the United Kingdom is a legally binding written instrument.

The right to erasure was introduced into EU law by the General Data Protection Regulation in 2018 and was retained in the UK following Brexit as part of the UK GDPR framework. Unlike the original EU case law that coined the phrase 'right to be forgotten' (Google Spain SL v Agencia Española de Protección de Datos, 2014), which concerned the delisting of search engine results, the right under Article 17 UK GDPR applies broadly to any personal data processed by any data controller — from retailers and employers to social media platforms, search engines, and healthcare providers.

Personal data is defined broadly under UK GDPR as any information relating to an identified or identifiable natural person — a 'data subject'. This includes obvious personal information such as name, address, email address, and phone number, but also extends to IP addresses, location data, cookie identifiers, photographs, CCTV footage, health data, financial information, employment records, and any other data that can be linked to a specific individual.

The right to erasure is not absolute. Article 17(3) UK GDPR provides a number of exemptions — including where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for reasons of public interest. However, the default position is that an organisation that receives a valid erasure request on one of the grounds in Article 17(1) must comply without undue delay and within one month.

A formal erasure request letter is the recommended way to exercise this right. It creates a written record of the date the request was made — which is important because the one-month compliance clock starts from the date of receipt — and it clearly identifies the data subject, the data to be erased, and the legal ground for erasure, leaving the controller in no doubt as to their obligations.

The legal framework governing the Right to be Forgotten Request (UK) in United Kingdom draws on several key statutes and regulatory bodies. Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Parties executing a Right to be Forgotten Request (UK) in United Kingdom should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Freedom of Information Act 2000 sets the foundational requirements.

A Right to be Forgotten Request is appropriate in a range of situations in England and Wales.

Outdated or irrelevant online information: where a website, search engine, or online database holds personal information about you that is outdated, irrelevant, or no longer necessary — for example, an old news article about a past conviction that is now spent under the Rehabilitation of Offenders Act 1974, an outdated business listing, or an old social media profile linked to your name in search results.

Withdrawal of consent: where you originally gave consent for an organisation to process your personal data, and you have now withdrawn that consent and the organisation has no other lawful basis for continuing to process the data. Common examples include marketing databases, loyalty programme records, and newsletter subscription lists.

Lawful basis no longer exists: where personal data was collected for a specific purpose that no longer applies — for example, a former employer holding personal data after the employment has ended and the legal retention period has expired, or a former service provider retaining your data after you have cancelled a contract.

Unlawful processing: where you have reason to believe an organisation is processing your personal data without any lawful basis under Article 6 UK GDPR — for example, where data was collected without a privacy notice or used for purposes incompatible with its original collection.

Data collected from children: where personal data was collected from or about a person when they were a child in relation to information society services, and the individual now wishes to have that data removed.

Post-breakup data removal: where an individual wishes to remove their personal information — address, photograph, contact details — from a former partner's accounts or records, particularly in cases of potential harassment or domestic abuse.

An effective Right to Erasure Request for England and Wales should contain the following key elements.

Data subject's identity: your full name, address, email address, and any account number, username, or reference that the organisation uses to identify you. This is necessary to enable the controller to locate your data. You may be asked to provide proof of identity — a copy of a passport, driving licence, or utility bill — particularly if you are requesting erasure from a service where you had an account.

Data controller's details: the full name and address of the organisation or individual you are requesting erasure from. If the organisation has a designated Data Protection Officer (DPO), address the request to the DPO.

Identification of personal data: as specifically as possible, identify the personal data you wish to have erased — your name and email address held on a marketing database, your profile on a specific website, CCTV footage from a specific date, or all personal data the organisation holds about you.

Legal ground for erasure: state the specific ground under Article 17(1) UK GDPR on which you are making the request — for example, 'The data is no longer necessary for the purpose for which it was collected' (Article 17(1)(a)), or 'I withdraw my consent to the processing of my personal data, and there is no other lawful basis for processing' (Article 17(1)(b)).

Request to confirm compliance: ask the organisation to confirm in writing within one month that your personal data has been erased, and to confirm that any third parties to whom your data was disclosed have also been informed of the erasure request (Article 19 UK GDPR).

ICO escalation warning: state that if the organisation fails to comply within one month, you will lodge a complaint with the Information Commissioner's Office (ICO). The ICO has enforcement powers under the Data Protection Act 2018 including the power to issue compliance orders and fines.

Additional compliance elements for a Right to be Forgotten Request (UK) used in United Kingdom include: Under UK law, the UK GDPR and Data Protection Act 2018 apply to personal data processed under this agreement. The Consumer Rights Act 2015, enforced by the Competition and Markets Authority (CMA), protects consumer rights. Section 43 of the Companies Act 2006 governs company names. The Employment Tribunal adjudicates employment disputes under the Employment Rights Act 1996. The High Court of Justice and County Court have jurisdiction for civil matters under the Senior Courts Act 1981. Forms-legal.com provides this template as a starting point for United Kingdom-compliant documentation.