If you would like to have all of your data erased

In certain situations, you have the right to be forgotten. This means erasing all personal data concerning you from a particular dataset.

In certain situations, you have the right to request the controller to erase the personal data concerning you.

Personal data refers to information by which you can be identified.

A company, authority or corporation that collects your personal data is called a controller.

The controller is required to erase your personal data in the following situations:

  • The controller no longer needs your data for their original purpose.
  • You withdraw the consent you have given, and there is no other legal basis for processing your data.
  • You object to object to the processing of your data, and there is no justifiable reason for the processing.
  • You object to the processing of your data for purposes of direct marketing.
  • Your data has been processed unlawfully.
  • The law requires your data to be erased.
  • Your data has been collected on the basis of your custodian's consent in connection with the provision of information-society services. Information-society services include online shops and the social media, for example.

The controller will not be required to erase your personal data, however, if they are justifiably necessary for the following purposes:

  • the freedom of expression and information
  • compliance with legislation
  • the exercise of official authority vested in the controller
  • public interest – such as archiving, research or the compilation of statistics or
  • the establishment, exercise or defence of legal claims.

The erasure of data is free of charge. If the erasure request is unfounded or unreasonable, the controller has the right to charge a reasonable fee or refuse the request.

If the controller erases your data, it must communicate the erasure to all parties to whom the data have been disclosed in the past if viable. You can ask the controller to tell you the recipients of your data.

How to proceed

Make the erasure request directly to the controller. Additional information on the correct channels can usually be obtained from the controller's website or customer service.

In the request, specify

  • the data to be erased
  • the justifications for the erasure
  • your name and
  • your contact details (such as your e-mail address or telephone number).

The controller is required to reply to your request within one month. If the requests are numerous or complex, the controller can reply that it needs more time to process them. If the controller announces that it needs more time for processing, the deadline for replying will be three months from your original request. Wait for the controller's reply. Notifying you of a longer processing time does not mean that the controller will refuse to erase the data.

If the controller refuses to erase the data you have requested, it must state the reasons for its refusal. The refusal must always be based on law.  If you feel that the controller did not have legal grounds for its refusal, you can contact the Data Protection Ombudsman if necessary.