Article 17 of the UK and EU General Data Protection Regulation is, by the standards of European legislation, almost rude in its brevity. The whole thing fits on two pages. The famous label — the right to be forgotten — appears once, in the title, in parentheses.
What it does is simple. It gives you a unilateral right to demand that an organisation delete personal data it holds about you, provided one of six grounds applies. It lists four narrow exceptions. Everything else — brokers, lobbyists, customer-service scripts — is theatre over those eleven clauses.
The six grounds for erasure
Article 17(1) gives you the right to obtain deletion without undue delay if any one of the following applies. You need one, not all six.
(a) the personal data are no longer necessary in relation to the purposes for which they were collected.
(b) the data subject withdraws consent on which the processing is based, and there is no other legal ground.
(c) the data subject objects to the processing under Article 21(1), and there are no overriding legitimate grounds.
(d) the personal data have been unlawfully processed.
(e) the personal data must be erased for compliance with a legal obligation.
(f) the data have been collected in relation to the offer of information society services to a child.
For a data broker — Acxiom, LexisNexis, CoreLogic, Spokeo — ground (a) does most of the work. The "purpose" they collected your data for was to sell it on. That purpose ends the moment you say you do not consent to being part of their inventory. Ground (b) is also available wherever they ever claimed consent, which most quietly do.
The carve-outs in 17(3)
The exceptions are narrower than the cottage industry of "we regret to inform you" replies suggests. Erasure does not apply where processing is necessary for:
- freedom of expression and information
- compliance with a legal obligation, or a public-interest task
- reasons of public interest in public health
- archiving, scientific or historical research, or statistics
- the establishment, exercise or defence of legal claims
A broker reselling your address to a debt-collection list is none of these. A newspaper archive of a court case is plausibly the first. A credit-reference agency holding lending history under the Consumer Credit Act is relying on legal obligation — and can refuse, but only for the data the statute requires it to retain. Not the marketing affiliate. Not the people-search subsidiary.
"Freedom of expression" is not a magic word a marketing company can stamp on a refusal letter. It has to actually apply.
Controllers, processors, and who you write to
The request goes to the controller — the organisation that decides why and how data are processed. That is almost always the company whose website your record sits on. Article 17(2) then obliges that controller, if it has disclosed the data publicly, to take "reasonable steps" to inform downstream controllers of the erasure.
You do not have to chase downstream parties yourself, though in practice you should. A broker that sold your file to forty affiliates will, left alone, define "reasonable steps" as one email no one reads.
What a valid request looks like
There is no prescribed form. To be unmistakably valid under Article 12, a request needs:
- Identification. Name, current address, date of birth, and any previous addresses likely in their file. No passport scan by default — they may only ask for ID where they have reasonable doubts.
- The specific data. "All personal data you hold concerning me, including derived or inferred data" works. So does "the record at this URL on 12 May 2026". Both, ideally.
- The legal ground. Cite Article 17(1)(a) and (b) by name. That one sentence eliminates ninety per cent of stalling tactics.
- A reply address. Email is fine; a return postal address strengthens the paper trail.
Send it from an account you can keep open for three months. Keep the timestamp. That is your evidence.
The one-month clock
Article 12(3) gives the controller one month from receipt to respond, extendable by a further two months "where necessary, taking into account the complexity and number of requests" — but only if they tell you within the first month and explain why.
"We are busy" is not a reason. "We need to coordinate erasure across seven affiliates and re-issue suppression files" is. Most extensions sit between the two and go unchallenged because the requester stopped paying attention.
The response must either confirm erasure or explain, in writing, which Article 17(3) ground they rely on, and for which category of data. A blanket refusal is not compliant.
When they refuse
If the reply is a refusal you do not accept, or no reply arrives by day thirty, you have two free escalations.
In the United Kingdom, the supervisory authority is the Information Commissioner's Office. You file at ico.org.uk/concerns. It takes about fifteen minutes. The ICO rarely fines the broker on your behalf — but it will write to them, and brokers respond to ICO letters in a way they do not respond to yours.
In the European Union, you file with your member-state authority: the CNIL in France, the BfDI in Germany, the Garante in Italy. The full list sits on the European Data Protection Board's website; the one-stop-shop mechanism routes complaints to the right supervisor even when the controller is in another member state.
Keep the original request, the timestamp, and any reply. That packet is the complaint. You do not need a lawyer.
A note on what the law cannot do
Article 17 is a right against organisations that hold your data. It does not reach archives outside the UK and EU, and it cannot delete things already printed, screenshotted, or scraped into datasets the regulator cannot see. It stops the bleeding. It does not unwrite the past.
What it does, used properly, is remove your record from the live commercial flow — the lists sold, refreshed, and resold every quarter. Once you are off those, copies in the wild quietly age out.
If you would rather not draft thirty of these letters yourself, Nox Æterna handles all 150+ UK and US brokers in one £89 payment, cites the law in your name, and returns a PDF receipt when each one confirms. Same statute. Same clock. Done by us.