Right to Erasure

The right to erasure, also called the 'right to be forgotten', is codified in Article 17 of the UK GDPR and EU GDPR. It allows individuals to request that a controller delete their personal data when: it is no longer necessary for the purpose for which it was collected; the individual withdraws consent and no other legal basis applies; the individual objects to processing and there are no overriding legitimate grounds; the data was processed unlawfully; or deletion is required for legal compliance.

For scam victims, the right to erasure is relevant in two main contexts. First, victims of identity theft may need legitimate companies to erase fraudulently created accounts in their name. Second, victims whose images, contact details, or other personal data have been harvested and misused by scam operations may seek erasure from data brokers or from search engines (via the 'right to delist' for search results linking to inaccurate or harmful content).

The right is not absolute: controllers can refuse erasure where data must be retained for legal compliance, to defend legal claims, for public interest research, or for other specified grounds. Controllers must respond within one month. In the UK, complaints about non-compliance are handled by the Information Commissioner's Office (ICO).