top of page

Right to get your information erased or destroyed

In a seashell:


Under section 19 of PIPA, you have the right to request an organisation to erase or destroy your personal information where that personal information is no longer relevant for the purposes for which it was originally collected.


The right to get your information erased or destroyed is also known as the right to erasure. In some circumstances, an organisation can refuse your right to erasure request.


The right to erasure applies in situations where:


1. An organisation no longer needs your information for the purpose for which it was originally used:

Scenario A

 

You have cancelled your gym membership, your account has been settled, and the appropriate retention period has expired. The gym should delete your personal information since it no longer needs to keep details of your name, address, age, and health conditions (sensitive personal information).


2. You have requested that an organisation stop the use of your information for direct marketing purposes:

Scenario B

 

You agreed to receive specific adverts directly and are no longer interested in them, and now want the information erased.


3. The organisation using your personal information has collected or used your information unlawfully:

Scenario C

 

The organisation hasn’t complied with the privacy rules under PIPA, so it does not meet the legal condition to use the information. You want them to erase what they hold. The organisation has a legal obligation to erase your information.

4. The information was collected from you when you were still a child (i.e., before you turned 14)
for an online service:

Scenario D 


You used social media or a gaming app as a child according to your parents’ consent, and you wish 
to withdraw your consent and have the information erased.


PIPA gives children special protection, especially online. Children are vulnerable and therefore 
may be less aware of the risks and consequences of giving their information to organisations.


People ask:

1. How do I ask for my information to be erased or destroyed?


You should contact the organisation using the contact details provided in their privacy notice and 
let them know what personal information you want them to erase.

When submitting your written request, you can use the master template on pp. 18-19 to help you 
raise your concern. The use of the master template is intended to serve as guidance when formally 
communicating with the organisation. Any other written format that you deem appropriate may also be used to raise your concern.


The added value of having everything in writing is that it will allow you to explain your concern, 
give evidence and explain what you want to happen. It will also provide clear proof of your actions 
if you decide to challenge the organisation’s response.


2. What should the organisation do?


The organisation must:


•  erase or destroy the personal information identified in the request; or
•  provide you with written reasons as to why the continued use of such personal information is 
    justified.


The organisation must erase and/or destroy your information, unless a PIPA exemption applies. If a 
PIPA exemption applies, the organisation can either fully or partly refuse to comply with your 
request (see pages 23-24).


The organisation should also tell anyone else that they have shared your information with about the 
erasure.


If you ask, the organisation must also tell you that they have shared your information with other 
organisations.


If your information has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the organisations with whom the information has been shared and to erase links or copies of that information.


3. When can the organisation say no?


The organisation can refuse to erase your information under certain circumstances, such as:


• when keeping your information is necessary for reasons of freedom of expression and information (this includes                     journalism and academic, artistic and literary purposes);
• when the organisation is legally obliged to keep your information such as to comply with financial or other regulations;
• when the organisation is carrying out a task in the public interest or when exercising their official authority;
• when keeping your information is necessary for establishing, exercising, or defending legal claims; 

and


• when erasing your information would prejudice scientific or historical research or archiving that is in the public interest;

and


• when keeping your sensitive personal information is necessary for reasons of public health in the public interest.


The organisation can also refuse your request if it is “manifestly unreasonable” (see page 30).


If, after considering your request, the organisation decides it does not need to erase or destroy your information, it must still respond to you. It should explain to you why it believes it does not have to comply with your request and let you know about your right to complain about this decision to PrivCom, or through the courts.

For more information, see pp. 27-29 (Making a complaint).

 
bottom of page