The right to erasure

You can ask a private or public body (the data controller) to delete personal data for which there is no or no longer any reason to process it.

Under which circumstances can you ask for the erasure of your data?
  • the personal data is no longer necessary to achieve the intended purpose, e.g., after closing your account on a fitness application, the application no longer needs your personal data,
  • you withdraw your consent, and the data is not needed for other purposes, e.g., you withdraw the consent given to a site to receive newsletters.
  •  you do not wish your data to be used for canvassing purposes, e.g., you object to canvassing by post,
  • the personal data is processed unlawfully, e.g., the creation of a profile by a third party on a social network,
  • personal data must be deleted because of a legal obligation, e.g., the deletion of criminal records by an employer collected as part of a recruitment process,
  • an information society service collected your data when you were a minor, e.g., if you used a blog or social network as a minor,
  • you object to the use of your data and the organisation has no legitimate and compelling reason not to act on the objection.

Processing of personal data in criminal matters and in matters of national security

You also have the right to erasure of personal data processed by the Grand-Ducal Police, the State Intelligence Service, the National Security Authority, the Luxembourg Army, the Financial Intelligence Unit and the Customs and Excise Administration under the conditions set out in Article 15 of the Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of national security.

The limits of the right to erasure

The right to erasure does not apply if the processing of your data is necessary for:

  • to exercise the right to freedom of expression and information,
  • to enable the organisation to comply with a legal obligation which requires the processing or to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation,
  • for reasons of public interest in the field of public health, in accordance with Article 9(2)(h) and (i) and Article 9(3) of the GDPR,
  • for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) of the RGPD and Articles 63 to 65 of the Act of 1 August 2018 on the organisation of the National Commission for Data Protection and the general data protection regime insofar as the right referred to in paragraph 1 is likely to make it impossible or seriously compromise the achievement of the objectives of the said processing, or
  • for the establishment, exercise or defence of legal claims.

Processing of personal data in criminal matters and in matters of national security

Instead of erasure, the controller shall restrict processing where:

  • the accuracy of the personal data is contested by the data subject, and it cannot be determined whether or not the data is accurate, or
  • the personal data must be retained for evidential purposes.

Where processing is restricted, the data controller shall inform the data subject before lifting the restriction on processing.

How to exercise your right and what procedure to expect?
  • Identify the organisation responsible and how it can be contacted (information available on the organisation's website or in a document entitled: ‘information notice on data protection’, ‘confidentiality policy’, ‘privacy policy’, ‘legal notice’, etc.).
  • Use your right to erasure:
    • The request should preferably be made in writing (letter, e-mail or via an erasure request form on the organisation's website).

If you wish, you can use the CNPD's model letter (data processing subject to the RGPD) to assert your right to erasure with the data controller.

In the case of processing of personal data relating to criminal matters or national security, please use the template letter for processing of data relating to criminal matters and national security.

You can already specify, if you wish, the data for which you are requesting erasure.

  • Potential verification of your identity: if the organisation has reasonable doubts about your identity or needs to verify your identity, it may ask you to attach any document that proves your identity. If you use an already known means of identification such as an e-mail address or customer/member number, this should be sufficient for the organisation.
  • The organisation investigates the possibility of deleting your data.
  • Sending of the response by the organisation. When you exercise your right electronically, the response is provided electronically unless you have requested otherwise. The reply must be sent to you in clear and simple terms.
    • If the organisation has to erase your data, it will notify each organisation with which it has shared your data that erasure has been carried out, unless such notification proves impossible or would require disproportionate effort. On request, the organisation must provide you with information about these recipients.
    • If the organisation has made your data public and needs to erase it, it will take reasonable steps, including technical steps, to inform other organisations processing the data that you have requested erasure of any links to, or copies or reproductions of, the data.

Processing of personal data in criminal matters and in matters of national security

Where personal data has been erased or processing restricted, the controller will notify the recipients to erase the personal data or restrict the processing of personal data under their responsibility.

How much time does the controller have to answer your request?

Within a maximum of 1 month from receipt of the request:

  • either by acting on your request,
  • or by informing you that your request cannot be processed and that you may lodge a complaint with the CNPD and take legal action,
  • or, in the case of a complex request, by informing you of the extension of the initial deadline (by a maximum of two additional months) and the reasons for it.

Processing of personal data in criminal matters and in matters of national security

The controller shall erase the data as soon as possible.

The controller shall inform the data subject in writing of any refusal to erase personal data or to restrict processing, and of the reasons for the refusal. The data controller may restrict, in whole or in part, the provision of such information, where such restriction constitutes a necessary and proportionate measure within a democratic society, having regard to the purpose of the processing concerned, and with due regard to the fundamental rights and legitimate interests of the data subject to:

  1.  avoid hampering official or judicial enquiries, investigations, or proceedings.
  2. avoid hindering the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or
  3. to protect public security.
  4. protect national security and defence; or
  5. protect the rights and freedoms of others. 

If the organisation does not meet these deadlines or if you are not satisfied with its response and you decide to refer the matter to the CNPD, you can submit a complaint via our online form, taking care to attach supporting documents for your previous actions.

Do you have to pay any fees?

In principle, no payment may be required to take the measures requested, unless your requests are manifestly unfounded or excessive, in particular because of their repetitive nature. In this case, the organisation may either demand payment of a reasonable fee that takes account of the administrative costs incurred in taking the action requested or refuse to comply with your requests.

The organisation must explain why payment is required.

Dernière mise à jour