You submitted a GDPR erasure request. The company replied with a form letter citing "legitimate interests" or "legal obligation." Is that refusal valid? Often, it is not — and companies know you are unlikely to push back. Here is how to challenge it.
When the Right to Erasure Applies
GDPR Article 17 gives you the right to have your personal data erased when: GDPR Art.17
- The data is no longer necessary for the purpose it was collected
- You withdraw consent and there is no other legal basis for processing
- You object under Article 21 and there are no overriding legitimate grounds
- The data was processed unlawfully
- Erasure is required by EU or member state law
Valid vs Invalid Refusals
| What they say | Is it valid? |
|---|---|
| "We have a legal obligation to retain your data" (e.g. tax records, regulated financial data) | Potentially valid — but only for the specific data subject to the legal obligation, for the specific retention period required by law. They cannot use this to retain everything indefinitely. |
| "We have a legitimate interest in retaining your data" | Usually invalid — legitimate interests must be specific, documented, and proportionate. A vague claim of "legitimate interests" without specifying what those interests are and why they override your rights is not sufficient. |
| "We need it for the performance of a contract" | Invalid after the contract ends — once the relationship is over, this legal basis falls away. They can retain data needed for legal disputes but not operational data indefinitely. |
| "Erasure is technically impossible" | Almost never valid — they must make reasonable efforts to erase data. Backups are an accepted exception for a limited period, but active systems must be updated. |
How to Challenge the Refusal
Ask them to specify:
- Which specific legal basis under GDPR Article 17(3) they are relying on
- Which specific data they are retaining and why that specific data falls under the exception
- For how long they intend to retain it and the legal basis for that retention period
"Please confirm which specific exception under GDPR Article 17(3) you are relying on, which specific categories of data this applies to, and the duration of retention. A general reference to 'legitimate interests' is not a sufficient response under Article 12(3)."
Under GDPR Article 12(3), they must respond within one month of receiving your request. They can extend this by up to two further months when the request is complex or numerous, but they must notify you of the extension — and the reasons for it — within the original one-month window. Silence past that point is itself a breach. GDPR Art.12(3)
Escalate to Your DPA
If the company does not respond adequately, file a complaint with your national data protection authority. It is free. The company faces investigation and potential fines.
- Germany: Bundesdatenschutzbeauftragter (BfDI) — bfdi.bund.de
- France: CNIL — cnil.fr
- Netherlands: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
- Ireland: Data Protection Commission (handles many large tech companies) — dataprotection.ie
- UK (post-Brexit): Information Commissioner's Office (ICO) — ico.org.uk
- All EU: edpb.europa.eu has a full list of national DPAs
Frequently Asked Questions
When can a company refuse a GDPR erasure request?
Only when they have a valid legal basis to retain data — such as a legal obligation or compelling legitimate grounds that override your interests.
Does "legitimate interests" automatically defeat erasure?
No. Under Article 21, you can object and the controller must demonstrate compelling grounds. Vague claims are not sufficient.
How do I escalate a refused GDPR erasure request?
File a complaint with your national Data Protection Authority (DPA). In the UK, that is the ICO. Complaints are free.
Related Guides
Fix AI has a GDPR erasure dispute case where DataVault refuses your deletion request citing "legitimate interests." Practice the exact arguments before you need them for real.
Practice This Dispute Free →