Is the right to erasure the same as the right to be forgotten?

Yes. 'Right to be forgotten' is the popular name for the right to erasure codified in Article 17 of the EU General Data Protection Regulation (GDPR) and the UK GDPR.

How long does a company have to delete my data?

Under Article 12(3) GDPR, the controller must respond within one calendar month. The window can be extended by two further months for complex requests, but only with written justification.

Can a company refuse a right to erasure request?

Only on narrow grounds listed in Article 17(3) — for example, legal obligations to retain records, public interest, or the establishment of legal claims. Marketing data almost never qualifies.

Back to Home

GDPR Article 17

Your Right to Erasure (Right to Be Forgotten)

A free, no-signup guide to exercising your GDPR right to erasure under Article 17 — the legal basis for the "right to be forgotten" across the EU and UK. Includes a copy-paste email template and the statutory 30-day countdown.

~10 minutes•Updated June 2026

What is the right to erasure?

The right to erasure — commonly called the right to be forgotten — is codified in Article 17 of the GDPR. It lets any individual in the EU or UK demand that a company delete the personal data it holds about them, including data shared with third parties. Data brokers, marketing networks, and most online services must comply within one calendar month.

Step 1 — Find the data controller

Open the company's privacy policy and look for a contact addressed to the Data Protection Officer or a privacy@/ dpo@ mailbox. That is the legally responsible address for Article 17 requests.

Step 2 — Send the erasure request

Use the template below. Subject line:GDPR Article 17 — Right to Erasure Request.

Email templateCopy & customise

Subject: GDPR Article 17 — Right to Erasure Request

To the Data Protection Officer,

Under Article 17 of the General Data Protection Regulation (Regulation (EU) 2016/679, and the UK GDPR where applicable), I formally request the erasure of all personal data your organisation holds about me.

Personal identifiers to erase:
- Full name: [YOUR FULL NAME]
- Email address(es): [YOUR EMAIL ADDRESSES]
- Phone number(s): [YOUR PHONE NUMBERS]
- Postal address: [YOUR ADDRESS]
- Account ID (if applicable): [YOUR ACCOUNT ID]

I also request:
1. Written confirmation that the erasure has been completed.
2. Notification to any third parties with whom my data has been shared, as required by Article 19 GDPR.
3. Immediate cessation of profiling and direct marketing, as permitted under Article 21 GDPR.

Please respond within one (1) calendar month as required by Article 12(3) GDPR.

Kind regards,
[YOUR NAME]
[DATE]

Step 3 — Track the 30-day deadline

Article 12(3) GDPR gives the controller one calendar month. The clock starts the day you send the request. Log the date and follow up on day 25 if you haven't received written confirmation.

Step 4 — Escalate to your DPA

If the deadline passes or the company refuses without a valid Article 17(3) ground, file a complaint with your national Data Protection Authority — the ICO (UK), AP (NL), or BfDI (DE). Complaints are free and regularly trigger enforcement action.

Skip the paperwork

Privzr automates Article 17 requests to hundreds of data brokers and trackers in one click — then tracks the 30-day deadline for you.

Try Privzr free Read the FAQ