Help Centre

Article 17 — Right to Erasure ("Right to be Forgotten")

Individuals can request you delete their personal data in certain circumstances. You must comply if:

• The data is no longer necessary for the purpose it was collected.
• They withdraw consent and there is no other legal basis.
• They object under Article 21 and you have no overriding legitimate interests.
• The data was unlawfully processed.
• Erasure is required to comply with a legal obligation.

Grounds to refuse erasure: legal obligation to retain data; exercise of legal claims; public interest in public health (NHS); freedom of expression and information; archiving or research in the public interest.

Article 18 — Right to Restriction

The individual can ask you to "freeze" processing of their data in certain situations — you must still store it, but cannot otherwise use it. Grounds for restriction:

• They contest the accuracy of the data (restriction applies while you verify it).
• Processing is unlawful but they prefer restriction over erasure.
• You no longer need the data but they need it for legal claims.
• They have objected to processing under Article 21 and you are considering whether your legitimate interests override theirs.

Article 20 — Right to Data Portability

Individuals can request their data in a "structured, commonly used, and machine-readable format" (e.g. JSON, CSV, XML) when: the processing is based on consent or a contract, and the processing is carried out by automated means. This does not apply to processing under legal obligation or public task.

Article 21 — Right to Object

Individuals can object to processing based on legitimate interests (Article 6(1)(f)) or public task (Article 6(1)(e)), and to direct marketing at any time. For legitimate interests, you must stop processing unless you can demonstrate "compelling legitimate grounds" that override the individual's interests.