UK GDPR DSAR & Right to Erasure (2026 Legal Guide) — Rules & Requirements

Researched by , Founder & Head Researcher

Primary sources cited; not legal advice.

Last verified:

Source: UK GDPR Articles 12 (transparent information), 15 (right of access), 17 (right to erasure / right to be forgotten); Data Protection Act 2018 Part 2, Chapter 2.

About this article

Sourced from UK Acts of Parliament, statutory instruments, and official guidance. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards

UK National Law

What is this right?

Under UK GDPR Article 15, you can request from any controller a copy of the personal data it holds about you, plus information about why it's processed, who it's shared with, and how long it's kept. The standard response time is one calendar month from receipt of the request (Article 12(3)) — extendable by a further two months for complex or numerous requests, with notice.

Under UK GDPR Article 17, you can demand the controller delete your personal data — the 'right to be forgotten' — on grounds including: the data is no longer necessary for the original purpose; you withdraw consent that was the only legal basis; you successfully objected to processing; the data was unlawfully processed; or erasure is required for a legal obligation.

Requests are free in almost every case. The Information Commissioner's Office (ICO) enforces, also free.

When does it apply?

  • You want to see the personal data a UK or EU business / public body holds about you.
  • You want a UK business to delete the personal data it has collected about you, on any of the Article 17 grounds.
  • You want to opt out of direct marketing — separate rule under UK GDPR Article 21(2), with absolute right to object.
  • You want a search engine to de-index search results about you — the 'right to be forgotten' against search engines is exercisable as an Article 17 erasure request.
  • The controller refused your request, took longer than one month without notice of extension, or charged an inappropriate fee.

Submitting a UK GDPR DSAR or Article 17 Erasure Request

  1. Identify the controller and use its DSAR / privacy contact. Most UK organisations publish a Data Protection Officer (DPO) or privacy team contact in the website footer or in the privacy notice. The ICO's standard advice is to use the channel the organisation has designated.
  2. Submit the request in writing. Identify yourself, specify the data you want (a DSAR can be broad — 'all personal data you process about me' — but narrower requests get faster responses), and (for erasure) cite the Article 17 ground.
  3. Track the one-month clock. The controller has one calendar month from receipt, but can extend by a further two months for complex or numerous requests — and must tell you about the extension within the original month, explaining why.
  4. If the controller refuses or doesn't respond, complain to the ICO. File at ico.org.uk or call the helpline on 0303 123 1113. The ICO's complaint process is free. It can issue enforcement notices and fines (up to £17.5 million or 4% of global turnover, whichever is higher, under UK GDPR Article 83).
  5. For search-engine de-indexing, you can also use the search engine's right-to-be-forgotten form directly. Google's form is the de-facto industry standard; results that meet the Google Spain test (the original CJEU case still applied as retained EU case law) are typically delisted within weeks.
  6. For sensitive sectors, complain to the sector regulator alongside the ICO. FCA-regulated firms also answer to the FCA; NHS bodies answer to NHS England's Information Governance team; police-related data answers to the IPCC.

What should you NOT do?

  • Don't pay for a 'privacy removal' service that promises ICO escalation. The ICO complaint process is free and the form takes 15 minutes.
  • Don't conflate DSAR with erasure. A DSAR shows you the data; erasure deletes it. Submit the right one (or both) for what you actually want.
  • Don't accept an excessive identity-verification demand. The controller can verify your identity but must do so proportionately — passport copies for a marketing-list deletion are not proportionate. Push back if asked for more than what's necessary.
  • Don't miss the one-month clock. Past one month with no response and no extension notice is itself a UK GDPR breach — the ICO takes timeline breaches seriously.

About Data Privacy & Digital Rights in United Kingdom

UK residents have the strongest data-privacy and online-safety statutory framework in the English-speaking world. The UK GDPR + Data Protection Act 2018 give every person rights of access, rectification, erasure, restriction, portability, and objection — exercisable against any controller processing their personal data. The standard controller response time is one month under Article 12(3) UK GDPR. The Information Commissioner's Office (ICO) enforces, free of charge.

For intimate-image abuse, the Online Safety Act 2023 s. 188 inserted four offences into the Sexual Offences Act 2003 as s. 66B — these came into force on 31 January 2024. Sharing intimate images without consent (66B(1)) is a summary-only offence (6 months); with intent to cause distress, for sexual gratification, or as a threat (66B(2)–(4)) carries up to 2 years. Intimate-image abuse is now a priority offence under the Online Safety Act 2023, requiring platforms to proactively prevent it.

For specialist NCII support: the Revenge Porn Helpline (SWGfL, 0345 6000 459, Mon–Fri 10am–4pm) and StopNCII.org (free hash-based proactive removal across participating platforms, 18+).

Common Questions

What can I ask for in a DSAR?

Under UK GDPR Article 15: a copy of the personal data the controller holds about you, plus the purposes of processing, the categories of personal data, the recipients (especially any third countries), the retention period, your rights to rectification / erasure / restriction / objection, and (where applicable) the source of the data and any automated decision-making logic. Broad 'all personal data' requests are permitted; narrower requests are faster.

Are DSARs always free?

Yes for the first request, in almost all cases. Article 12(5) allows the controller to charge 'a reasonable fee based on administrative costs' or refuse 'manifestly unfounded or excessive' requests — but the bar is high and the burden is on the controller to demonstrate it.

Can I demand a search engine de-index results about me?

Yes — the Article 17 right to erasure applies to search engines as data controllers, following the CJEU Google Spain ruling (retained as UK law). Submit via the search engine's right-to-be-forgotten form. Successful removals are typically for results that are inaccurate, inadequate, irrelevant, or excessive given the purpose. Results of strong public interest (about politicians, public officials, or recent serious crimes) are harder to delist.

What can the ICO do if a controller ignores my request?

Issue an enforcement notice requiring compliance; fine up to £17.5 million or 4% of global turnover (whichever is higher) under UK GDPR Article 83; in serious cases, refer for criminal prosecution. The ICO does not award compensation to individuals — for that you sue the controller separately in the county court under Article 82 / DPA 2018 s. 168.

What is the uk gdpr data subject access request and right to erasure right in United Kingdom?

Under UK GDPR Article 15, you can request from any controller a copy of the personal data it holds about you, plus information about why it's processed, who it's shared with, and how long it's kept. The standard response time is one calendar month from receipt of the request (Article 12(3)) — extendable by a further two months for complex or numerous requests, with notice.Under UK GDPR Article 17, you can demand the controller delete your personal data — the 'right to be forgotten' — on grounds including: the data is no longer necessary for the original purpose; you withdraw consent that was t...

When does uk gdpr data subject access request and right to erasure apply?

You want to see the personal data a UK or EU business / public body holds about you.You want a UK business to delete the personal data it has collected about you, on any of the Article 17 grounds.You want to opt out of direct marketing — separate rule under UK GDPR Article 21(2), with absolute right to object.You want a search engine to de-index search results about you — the 'right to be forgotten' against search engines is exercisable as an Article 17 erasure request.The controller refused your request, took longer than one month without notice of extension, or charged an inappropriate fee.

How do I make a data subject access request or right-to-be-forgotten request in the UK?

Identify the controller and use its DSAR / privacy contact. Most UK organisations publish a Data Protection Officer (DPO) or privacy team contact in the website footer or in the privacy notice. The ICO's standard advice is to use the channel the organisation has designated.Submit the request in writing. Identify yourself, specify the data you want (a DSAR can be broad — 'all personal data you process about me' — but narrower requests get faster responses), and (for erasure) cite the Article 17 ground.Track the one-month clock. The controller has one calendar month from receipt, but can extend...

What mistakes should I avoid with uk gdpr data subject access request and right to erasure?

Don't pay for a 'privacy removal' service that promises ICO escalation. The ICO complaint process is free and the form takes 15 minutes.Don't conflate DSAR with erasure. A DSAR shows you the data; erasure deletes it. Submit the right one (or both) for what you actually want.Don't accept an excessive identity-verification demand. The controller can verify your identity but must do so proportionately — passport copies for a marketing-list deletion are not proportionate. Push back if asked for more than what's necessary.Don't miss the one-month clock. Past one month with no response and no extens...

More in Data Privacy & Digital Rights

Removing Non-Consensual Intimate Images and Deepfakes in the UKIf you are in immediate danger, call 999. Since 31 January 2024, sharing intimate images without consent has been a crim...Read more →Online Harassment, Stalking, and Threatening Communications in the UKIf you are in immediate danger, call 999. The UK has multiple criminal and civil routes against online harassment, plus ...Read more →
← Browse all Data Privacy & Digital Rights

Last verified:

You came here to know your rights — help someone else know theirs.

Support This Mission