GDPR Right to Erasure Refused: What You Can Do

March 2026 · EU / UK · GDPR Article 17

You submitted a GDPR erasure request. The company replied with a form letter citing "legitimate interests" or "legal obligation." Is that refusal valid? Often, it is not — and companies know you are unlikely to push back. Here is how to challenge it.

When the Right to Erasure Applies

GDPR Article 17 gives you the right to have your personal data erased when: GDPR Art.17

The data is no longer necessary for the purpose it was collected
You withdraw consent and there is no other legal basis for processing
You object under Article 21 and there are no overriding legitimate grounds
The data was processed unlawfully
Erasure is required by EU or member state law

Valid vs Invalid Refusals

What they say	Is it valid?
"We have a legal obligation to retain your data" (e.g. tax records, regulated financial data)	Potentially valid — but only for the specific data subject to the legal obligation, for the specific retention period required by law. They cannot use this to retain everything indefinitely.
"We have a legitimate interest in retaining your data"	Usually invalid — legitimate interests must be specific, documented, and proportionate. A vague claim of "legitimate interests" without specifying what those interests are and why they override your rights is not sufficient.
"We need it for the performance of a contract"	Invalid after the contract ends — once the relationship is over, this legal basis falls away. They can retain data needed for legal disputes but not operational data indefinitely.
"Erasure is technically impossible"	Almost never valid — they must make reasonable efforts to erase data. Backups are an accepted exception for a limited period, but active systems must be updated.

How to Challenge the Refusal

Ask them to specify:

Which specific legal basis under GDPR Article 17(3) they are relying on
Which specific data they are retaining and why that specific data falls under the exception
For how long they intend to retain it and the legal basis for that retention period

"Please confirm which specific exception under GDPR Article 17(3) you are relying on, which specific categories of data this applies to, and the duration of retention. A general reference to 'legitimate interests' is not a sufficient response under Article 12(3)."

Under GDPR Article 12(3), they must respond within one month. GDPR Art.12

Escalate to Your DPA

If the company does not respond adequately, file a complaint with your national data protection authority. It is free. The company faces investigation and potential fines.

Germany: Bundesdatenschutzbeauftragter (BfDI) — bfdi.bund.de
France: CNIL — cnil.fr
Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
Ireland: Data Protection Commission (handles many large tech companies) — dataprotection.ie
UK (post-Brexit): Information Commissioner's Office (ICO) — ico.org.uk
All EU: edpb.europa.eu has a full list of national DPAs

Related Guides

Fix AI has a GDPR erasure dispute case where DataVault refuses your deletion request citing "legitimate interests." Practice the exact arguments before you need them for real.

Practice This Dispute Free →

← Back to Fix AI