Personal
Real estate
Business
Log in
Create
Last will and testament
Modern slavery statement
Stock transfer form
Funeral plan
Declaration of trust
Disciplinary procedure
Health and safety policy
Grievance procedure
Whistleblowing policy
Flexible working request
Business continuity plan
Cease and desist letter
Eviction notice
Living will
Power of attorney
Invoice template
Resignation letter
Self certification form
Tenancy agreement
Section 21
Business plan
Affidavit
Deed of variation
Fire risk assessment
Section 8 notice
Privacy policy
Reference letter
Codicil
Safeguarding policy
Home
/
Personal
/
Data erasure request

FREE Data Erasure Request Template & Example

Data erasure request
Create Document
Updated on
06
/
09
/
2025
Written by
Katryn Broadhurst
|
Legally reviewed by
Similar names
Right to be forgotten request, Data deletion request, Erasure of personal data
+ 0 more
Show Less
Similar Tag Sample
Create and legal docs quick and easy
No need for expensive lawyers
Accessible anytime, anywhere in the world
Personalized legal documents for your needs
Data erasure request
Create Document

A data erasure request, often referred to as a GDPR data deletion request, is a formal written notice sent by an individual to an organisation asking for the permanent removal of personal data. 

This right is a cornerstone of modern privacy law, enabling individuals to control how their information is collected, stored, and shared. Businesses are legally obligated to respect these requests under data protection frameworks such as the GDPR, but the scope and exceptions vary depending on the circumstances.

In this article, we’ll explore what a data erasure request is, when it should be used, how to write one correctly, what essential elements it must contain, and the key legal tips for ensuring it is enforceable and taken seriously.

Table of Contents

What Is a Data Erasure Request?

A data erasure request is a legal tool under Article 17 of the General Data Protection Regulation (GDPR) that gives individuals the right to ask organisations to delete their personal data. This right applies not only to digital records, such as email addresses or account details, but also to offline data, including paper records stored by a company.

The scope of this right is not absolute. For example, organisations may refuse a request if the data is needed to comply with legal obligations, establish or defend legal claims, or serve the public interest. However, in most day-to-day scenarios, individuals can expect companies to honour their request if the data is no longer necessary, was collected unlawfully, or is being used in ways that the individual no longer consents to.

This makes data erasure requests an essential tool for regaining control over personal information in an increasingly digital environment where data is constantly collected and shared.

When Should You Use a Data Erasure Request?

There are several circumstances where submitting a GDPR removal request is both appropriate and effective. Understanding these scenarios helps ensure the request is valid and likely to succeed.

1. Outdated or Irrelevant Data

Organisations sometimes keep personal information for years without a clear justification, creating unnecessary risks for both the business and the individual. For example, customer purchase records, old employee files, or outdated subscription details may serve no ongoing purpose but still remain stored in databases. 

Retaining such data increases the chance of security breaches and non-compliance with GDPR’s storage limitation principle, which requires data to be kept only as long as necessary. By submitting a request to delete personal data in these circumstances, individuals can not only reduce the chance of their data being exposed but also ensure that organisations follow best practices for data minimisation and retention schedules.

Expert Tip:

“Always ask the organisation to explain their data retention policy when submitting your request. If they cannot justify why they hold outdated data, this strengthens your case for erasure.”

2. Withdrawal of Consent

When you give an organisation consent to process your personal information, you retain the right to revoke it at any time. For example, if you previously agreed to receive marketing emails or allowed an app to track your browsing history, you can later decide that you no longer want your information used for those purposes. 

A GDPR request to delete personal data ensures that the organisation halts processing and erases data that is no longer supported by a legal basis. This safeguard is crucial in contexts like healthcare or financial services, where sensitive information can have significant personal implications if it continues to be processed without consent.

3. Unlawful Processing

Unlawful processing occurs when personal data is collected or used without a valid legal ground. This could mean gathering more data than necessary during registration, failing to obtain informed consent, or using data for purposes not disclosed to the user. Under the GDPR, such practices can lead to regulatory fines and reputational damage. 

By filing a GDPR data deletion request, individuals can demand the erasure of unlawfully obtained data and push organisations to reassess their compliance procedures. This not only benefits the individual by protecting their rights but also holds companies accountable for improper practices, strengthening trust in data protection systems overall.

4. Direct Marketing Concerns

Marketing is one of the most common areas where data subjects exercise their right to erasure. Many people want to opt out of receiving unsolicited advertising, cold calls, or targeted promotions based on tracking. A data removal request email allows you to demand the deletion of contact details or marketing profiles used to deliver these communications. 

Under GDPR, individuals also have the absolute right to object to direct marketing, which means organisations must honour such requests without exception. Submitting a deletion request in this context not only helps reduce unwanted messages but also prevents businesses from profiling you for advertising purposes in the future.

How to Write a Data Erasure Request

Writing a GDPR-compliant request requires clarity and a structured approach. A vague or incomplete message can lead to delays, while a precise, legally grounded request compels organisations to act quickly. 

Using customizable templates from Legally.io ensures that the letter is properly formatted and legally sound, reducing the risk of rejection or confusion.

Step 1: Identify Yourself Clearly

The first step in writing a data erasure request is to establish your identity beyond any doubt. Organisations are not permitted to act on vague or unverifiable requests, as doing so could result in data being deleted at the request of someone impersonating you. Include your full legal name, current address, email address, and, if relevant, customer or account numbers that the business uses to identify you. 

If you’ve had multiple accounts or email addresses with the organisation, list those as well to ensure that all linked data can be located. Being precise at this stage reduces back-and-forth correspondence and speeds up the process.

Step 2: Reference Legal Rights

A request carries more weight when you explicitly reference the law that supports it. Under Article 17 of the GDPR, you have the “right to erasure,” which obliges organisations to delete personal data under certain conditions, such as when consent is withdrawn or the data is no longer needed. 

By citing this article, you demonstrate that your request is legally sound and not merely a personal preference. Including this reference also signals to the data controller that you are informed about your rights, making it harder for them to dismiss or delay the request. If you are outside the EU or UK, you may want to cite the relevant local law, such as the California Consumer Privacy Act (CCPA) in the United States.

Expert Tip:

“When citing GDPR, include the exact article number, Article 17(1), for erasure. This shows you know your rights and reduces the chance of the organisation dismissing your request as informal.”

Step 3: Specify Data to Be Deleted

Requests that are too broad or vague can lead to confusion or partial compliance. Instead of saying “delete everything,” outline exactly which records you want erased. For instance, you might request the deletion of your email address from marketing lists, the removal of your payment history prior to a certain year, or the erasure of your profile data on a digital platform. 

Specificity allows the organisation to act efficiently and demonstrates that you understand what categories of data they hold. You may also want to request confirmation of the deletion method—whether the data will be fully erased, anonymised, or archived. The clearer you are, the easier it is for the organisation to take action.

Expert Tip:

“Instead of asking for 'all data,' list categories like marketing subscriptions, purchase history, or stored documents. This narrows the scope and speeds up compliance.”

Step 4: Include Supporting Documents

To prevent fraud and ensure compliance, organisations may ask for proof of identity before processing a GDPR data deletion request. This may include a copy of a government-issued ID, a recent utility bill, or another document that verifies your connection to the account or data in question. While you are entitled to request deletion, the business is also entitled to verify your identity to prevent misuse of this right. 

Always redact unnecessary details, such as national ID numbers, to protect yourself from over-disclosure. Submitting this documentation upfront helps avoid delays caused by verification requests and increases the likelihood that your request will be handled swiftly.

Step 5: Set Expectations for Response

Finally, your request should clearly state expectations regarding timing and communication. Under the GDPR, organisations must respond within one month of receiving a valid request. In complex cases, they can extend this period by up to two additional months, but only if they notify you in writing and explain why more time is needed. 

By referencing this timeframe in your letter, you remind the organisation of its legal obligations and set a clear standard for accountability. You may also wish to request written confirmation once the deletion has been carried out, ensuring transparency and providing you with proof of compliance.

The European Data Protection Board (EDPB) also provides detailed guidance on how supervisory authorities handle these requests.

What Should a Data Erasure Request Contain?

To be effective, a GDPR removal request should include several key components that eliminate ambiguity and protect your rights.

  • Personal Identification: Provide your legal name, contact information, and relevant account references so the organisation can verify your identity.
  • Legal Basis: Clearly state that you are exercising your rights under Article 17 of the GDPR. This legal citation reinforces the validity of your request.
  • Data to Be Deleted: Identify the specific data or categories of information you want erased. General phrases like “all my data” are less effective than clearly defined categories.
  • Verification Documents: Attach documents confirming your identity to prevent fraud or misidentification.
  • Response Timeline: Explicitly mention the one-month response window to keep the process moving.

By including these elements, your request becomes both enforceable and efficient, reducing the chances of unnecessary disputes.

Legal Tips for Writing a Data Erasure Request

  • Confirm Jurisdiction: Not every privacy law applies universally. The GDPR governs requests in the EU and UK, while other regions may have their own frameworks, like the California Consumer Privacy Act (CCPA). Always verify which law applies to your case.
  • Be Clear and Specific: Vague statements slow down responses. Outline exactly which records you want removed and provide the reasons why. A clear request makes it easier for organisations to comply without confusion.
  • Keep Written Records: Always save copies of your request, including emails or postal receipts. If the matter escalates to a regulator, these records serve as evidence of your efforts to enforce your rights.
  • Use a Professional Template: Structured templates, such as those offered by Legally.io, ensure compliance with GDPR and increase the likelihood that your request will be processed correctly the first time.

Expert Tip:

“If an organisation refuses your request, ask them to provide the legal exemption they are relying on. Under GDPR, they must clearly explain why deletion is not possible.”

Key Takeaways

Data erasure requests are powerful tools that allow individuals to exercise control over their personal information. 

They should be used when data is outdated, unlawfully processed, or no longer relevant.

A strong request includes legal references, clear identification, and supporting documentation to reduce delays. 

Organisations must respond within strict deadlines, although certain exceptions apply.

By using structured templates from platforms like Legally.io and following legal guidance, individuals can ensure their requests are taken seriously and processed efficiently.

Ultimately, these requests not only safeguard privacy but also enforce accountability in how organisations handle personal data.

Frequently Asked Questions

Why do you need a data erasure request?
What is the right to be forgotten?
What details does a data erasure request need to include?
How long does a business have to respond to a data erasure request?
How should a business respond to a data erasure request?
What if a business doesn’t respond to a data erasure request?
Data erasure request
Create Document
Close Preview
Document Popup Title
This is a preview example. The final document will be tailored to your needs based on the information you provide in the next steps.
Create this document