GDPR & Data Deletion: When Can You Remove Personal Info?

In a world where we’re all leaving digital footprints everywhere we go, it’s not surprising that “Can I delete that?” is one of the most common privacy questions business owners ask. Maybe you’ve received a request from a customer to erase their information, or perhaps you’re reassessing your company’s data retention practices as part of your General Data Protection Regulation (GDPR) compliance. But deleting personal information isn’t always as simple as hitting the ‘delete’ button. The GDPR gives people certain rights over their data – but it also puts specific safeguards and limits on when businesses can, and must, erase that data. The stakes are high: mishandling deletion can lead to legal trouble, unhappy customers, or regulatory fines. So, when can you actually remove personal information? And how do you make sure you’re staying on the right side of the law? If you’re looking for answers – or wondering things like “Can I use GDPR to have NDA wiped?” – keep reading for a clear breakdown tailored for UK businesses.

What Does The GDPR Say About Data Deletion?

The GDPR was designed to put individuals in the driver’s seat when it comes to their own personal data. It gives every person the “right to erasure” (sometimes called the ‘right to be forgotten’). But like most things in law, it’s not an unlimited right. Let’s start with the basics:

• The right to erasure means individuals can ask you to delete their personal data in certain situations.
• Personal data means any information that relates to or can identify a living individual – like names, contact details, photos, or even online identifiers. (For more detail on what’s covered, see our GDPR guide.)
• The GDPR (and the Data Protection Act 2018 in the UK) sets out specific legal reasons or “lawful bases” for collecting and keeping data. Once you don’t have a valid reason anymore, you mustn’t keep that data longer than necessary.

But here’s the key: Deleting personal data isn’t always optional. Sometimes, you must erase it. Other times, you’re required to retain it – and deletion, especially if done too soon or for the wrong reasons, could land your business in hot water.

When Are You Allowed – Or Required – To Delete Personal Data?

There are a few key scenarios where the GDPR either permits or requires you to remove personal data. Here’s a breakdown:

1. The Data’s No Longer Needed For Its Original Purpose

If you gathered personal data for a specific purpose – maybe to process an order, manage a service contract, or sign up a client newsletter – and you no longer need it for that purpose, you should securely delete it.

• Example: A customer has closed their account, you’ve settled all obligations, and there’s no other legal reason to keep their info.

2. The Individual Withdraws Consent

If you were relying on the data subject’s consent as your lawful basis, and they change their mind, you’re usually obliged to delete their data – unless you can justify keeping it for another valid reason (like a legal requirement).

3. The Person Objects And There’s No Overriding Legitimate Ground

People can object to processing in some circumstances, especially where it’s based on “legitimate interests” or for marketing purposes. If there’s no stronger reason for you to keep it, you must delete it.

4. Data Was Collected Or Used Unlawfully

If you’ve acquired or processed personal data in a way that breaks the law or doesn’t meet GDPR standards, you may need to erase it to correct the situation.

5. You’re Legally Required To Erase It

There may be a specific legal obligation to delete some types of data, including under other laws (think certain financial records, or data subject to regulatory deadlines).

6. The Data Relates To A Child’s Online Services And Consent Is Withdrawn

If you collected data for an online service offered directly to a child, and consent is withdrawn by them or their guardian, the GDPR expects prompt deletion. For more detailed compliance advice, check out our guide to customer data protection or GDPR privacy policy resources.

When Can’t You Delete Personal Data – Even If Requested?

The right to erasure is balanced against other rights and obligations. Sometimes, you must keep the data even if someone asks you to delete it. Here are a few examples:

• You Must Comply With A Legal Obligation: For instance, UK companies typically have to retain tax and financial records for a set number of years under legislation like the Companies Act or HMRC rules.
• For Public Health, Legal Claims, Or Vital Interests: Certain situations (like active legal proceedings, or protecting someone’s life) may require you to retain data temporarily.
• Freedom Of Expression Or Public Interest: Sometimes, freedom of speech, news reporting, or archiving for public interest can override the deletion right.

Not sure if your obligations require retention? Our data protection consultation service can help clarify your specific scenarios.

Can I Use GDPR To Have My NDA Wiped?

We often get asked, “Can I use GDPR to have my NDA wiped?” – meaning, can someone request deletion of confidentiality agreements (NDAs) bearing their name or signature? The short answer: Not usually. An NDA (non-disclosure agreement) is a contract between parties, often containing personal data (such as names, addresses, or signatures), but its primary purpose is to record, define, and protect confidential obligations. Contracts are generally retained for as long as their terms have legal force, for record-keeping, or to defend against potential claims.

• Under the GDPR, you aren’t required to delete personal data just because someone requests it if you still need that data to meet your contractual, legal, or legitimate business interests.
• This means that erasing an NDA while the agreement is still in force (or even for a period after) could undermine your ability to enforce its terms or defend your business.

That said, once an NDA’s obligations have clearly ended (for example, after expiry + any statutory limitation period), and you have no other reason to retain the document, then deletion may be considered. If you or someone else is requesting deletion of an NDA based on the GDPR, it’s essential to get legal advice to balance your privacy obligations and your right to uphold lawful contracts. Learn more about confidentiality rules and why NDAs are important on our site.

How Should Businesses Safely Handle Deletion Requests?

You may receive erasure requests as written requests, emails, or even informal messages from customers, employees, or partners. Here’s how to handle them the right way:

1. Confirm The Identity Of The Requestor

Never delete personal data just because anyone asks. You must confirm that the person making the request is the data subject or their authorised representative.

• The Information Commissioner’s Office (ICO) expects you to request additional information if needed to verify the identity. This could be an email verification, providing a copy of ID, or other reasonable means, depending on the context.
• This protects against fraudsters tricking you into deleting someone else’s data, which could expose your business to legal action or claims. Think: an ex-employee trying to wipe damaging evidence, or someone posing as a customer to remove debt records.

2. Review Whether The Right To Erasure Applies

Work through the scenarios above and decide if any exemptions prevent deletion. For instance, do you still have a contractual or legal need for the data? If so, document your decision and inform the requestor.

3. Respond Promptly And Transparently

The GDPR says you must respond to data erasure requests “without undue delay” and in any case within one month. If you’re denying the request (in part or whole), explain your reasons – don’t simply ignore or delay.

4. Safely Delete If Appropriate

If personal data does need to be erased, make sure it’s done securely – such as overwriting digital files, shredding paper copies, or anonymising databases, so that the information can’t be reconstructed.

5. Update Your Records

Keep a log of all deletion requests and your responses, in case you need to prove GDPR compliance later. For more info on record-keeping and good privacy policies, see our privacy policy guide.

What Happens If You Delete Personal Data Improperly?

Deleting data too soon, or without proper checks, can be as risky as keeping it too long. Here are just a few things that could go wrong:

• Breach Of Contract: Deleting employment, supplier, or customer records before your legal obligations are up could make it hard (or impossible) to resolve disputes, recover debts, or defend claims.
• Regulatory Issues: The ICO can fine businesses for mishandling data – including improper deletion, failing to respond to erasure requests properly, or failing to keep required records.
• Reputational Damage: If a customer or employee finds their essential records gone or their deletion request ignored, this can lead to loss of trust and even negative online reviews. Learn how to deal with online reviews.
• Data Breaches: Not having a proper data breach response plan can make you vulnerable if sensitive data is deleted but still recoverable.

It’s all about balance: don’t retain data longer than necessary, but don’t delete anything essential before you’re legally able to do so.

FAQs: Common Questions About Deleting Personal Data

Why Doesn’t The GDPR Let Me Delete Everything I Want?

Think of the GDPR as a safeguard for both privacy and good record-keeping. Erasing data could cause harm if you (or your client, employee, or supplier) ever need those records again for legal, medical, or business reasons. Premature deletion might make it impossible to enforce contracts, clarify disputes, or comply with statutory requirements. Always check your legal obligations before deleting.

Can Employees, Customers, Or Third Parties Force My Business To Delete Data?

No one has an unlimited right to erasure. If there’s a law or contract requiring you to keep data, you’re within your rights to refuse deletion – as long as you have a valid, documented reason. You must respond with your reasons and be as transparent as possible.

How Do I Prove I Have Deleted Data?

Keep records of when data was deleted, which data, the request received, identity checks performed, and the legal basis for your actions. Good practice documentation is one of the best ways to prove your GDPR compliance if ever challenged by a regulator or customer.

Does Deleting Data Mean Destroying Backups And Emails Too?

Yes – if personal data exists in backups, archives, or emails, these should also be erased as far as is technically possible. If you must keep certain backups for business continuity or regulatory purposes, you should restrict access and ensure data won’t be restored into live systems except where allowed by law.

Can I Use Templates For Erasure Or GDPR Compliance?

We recommend caution with templates or “one-size-fits-all” policies. Your legal obligations depend on the types of data you hold, your industry, and your specific contracts. Tailored advice can help ensure you don’t accidentally expose yourself to risk. Our privacy complaint handling procedure guide is a good starting point, but professional review is always best for legal peace of mind.

Why Is Verification So Important Before Deleting Data?

If someone maliciously posed as a customer and got their medical, financial, or business records erased, the impact could be devastating – and your business could be liable for much more than an “oops”. Identity verification protects everyone involved. For high-value, sensitive, or contractual documents (such as NDAs), it’s absolutely vital to check and document identity with care.

Key Takeaways

• GDPR gives individuals a right to erasure, but this isn’t absolute – you must balance it with your legal and business obligations.
• You can delete personal data in limited circumstances: when it’s no longer needed, consent is withdrawn, or you’re legally obliged to erase it.
• Always verify the requester’s identity before acting on a deletion request to avoid fraud or unauthorised erasure.
• Some information – like contracts (including NDAs), tax records, or data needed for legal proceedings – can’t be deleted if there’s a valid reason to retain it.
• Deleting personal data improperly puts your business at legal, financial, and reputational risk. Document every action and your reasons for it.
• When in doubt, seek professional legal advice to ensure you’re complying with GDPR and other UK laws.

Need Legal Help With GDPR & Data Deletion?

If you’re unsure whether you can delete personal information – or if you’re dealing with complex scenarios like requests to remove NDAs under GDPR – we’re here to help. Our expert team can guide you through data privacy compliance, contracts, and risk management, ensuring your business stays protected. For a free, no-obligations chat, call us on 08081347754 or email team@sprintlaw.co.uk – and get peace of mind around your data and privacy obligations from day one.