Data Subject Rights

Right to Be Forgotten Explained: When You Can Demand Data Erasure

Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited · 2026-01-02T18:33:35+00:00

Learn what the Right to Be Forgotten means, when you can demand data erasure, and how to exercise this right under the NDPA and GDPR

Ikeh James Certified Data Protection Officer (CDPO) | NDPC-Accredited January 2, 2026

This article is part of our Data Subject Rights series, explaining individual rights under NDPA, GDPR, and global data protection laws.

In an age where personal information spreads instantly and can remain online indefinitely, the ability to erase outdated, harmful, or unlawfully processed data has become essential. The Right to Be Forgotten, formally known as the Right to Erasure, gives individuals the legal power to demand that organizations delete their personal data in specific circumstances.

This right is one of the most widely discussed — and often misunderstood — data protection rights. It does not guarantee total digital invisibility, but it does provide a powerful mechanism for regaining control over personal information when continued processing is no longer justified.

In this detailed guide, we explain what the Right to Be Forgotten really means, when it applies, how to exercise it under the Nigeria Data Protection Act (NDPA) and the GDPR, real-world examples, limitations, and what to do if your erasure request is refused.

What Is the Right to Be Forgotten?

The Right to Be Forgotten allows individuals to request the permanent deletion of their personal data when certain legal conditions are met. Once erasure is granted, the organization must remove the data from its systems and take reasonable steps to ensure it is no longer processed or made publicly available.

This right exists to prevent:

Endless retention of irrelevant or outdated data
Ongoing harm from inaccurate or unlawful processing
Continued exposure of personal data without justification

Under the GDPR, this right is set out in Article 17, while the NDPA provides equivalent protections for individuals in Nigeria.

Under Article 17 GDPR, individuals can request erasure where:

The data is no longer necessary for its original purpose
Consent has been withdrawn and no other legal basis applies
The individual objects to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
Erasure is required to comply with a legal obligation
The data relates to a child and online services

Organizations must act without undue delay once a valid request is received. (gdprinfo.eu)

NDPA Perspective (Nigeria)

The Nigeria Data Protection Act similarly allows individuals to demand deletion of personal data where:

Processing lacks a lawful basis
Data is excessive or retained longer than necessary
Continued processing causes harm or violates fairness principles

The NDPA also empowers the Nigeria Data Protection Commission (NDPC) to enforce erasure obligations and sanction non-compliant organizations. (ndpc.gov.ng)

When Can You Demand Data Erasure?

Ground for Erasure	Practical Example
Purpose expired	Old customer data kept after service ends
Withdrawal of consent	You revoke consent for marketing emails
Unlawful processing	Data collected without notice or consent
Successful objection	Profiling stopped after valid objection
Legal obligation	Law requires deletion after a set period
Children’s data	Data collected from minors without safeguards

This right is not automatic — each request must meet at least one legal ground.

Real-World Examples and Case Insights

Example 1: Outdated Online Content

An individual requests removal of outdated personal information published online that no longer reflects their current circumstances. The platform assesses relevance and deletes the data after confirming it serves no legitimate purpose.

Example 2: Marketing Databases

A user withdraws consent for promotional emails and demands erasure. The company must delete the user’s data from marketing systems and ensure it is not reused.

Example 3: Digital Lending Platforms

A loan app retains borrower data long after repayment. A valid erasure request forces deletion, except where retention is legally required for audits.

Example 4: Search Engine De-Indexing

Search engines may be required to remove links to personal data that is inaccurate, excessive, or no longer relevant — one of the most well-known applications of the Right to Be Forgotten. (gdprinfo.eu)

When Erasure Does NOT Apply (Key Limitations)

The Right to Be Forgotten is powerful but not absolute. Organizations may refuse erasure where data is needed for:

Exception	Explanation
Legal obligations	Tax, financial, or regulatory recordkeeping
Freedom of expression	Journalism, academic, or public interest reporting
Public interest	Public health or safety requirements
Legal claims	Establishment, exercise, or defense of legal rights
Research & statistics	With appropriate safeguards

Understanding these limits helps set realistic expectations.

How to Submit an Effective Erasure Request

Identify the Data – Specify exactly what personal data you want deleted.
State the Legal Ground – Explain why erasure applies (e.g., consent withdrawn).
Use Official Channels – Privacy email, request form, or written notice.
Request Confirmation – Ask for written proof of deletion.
Ask About Third Parties – Request confirmation that shared data recipients are informed.

Organizations usually have one month to respond, extendable in complex cases.

What Organizations Must Do After Erasure

Permanently delete personal data from active systems
Prevent future processing
Inform third parties who received the data, where feasible
Retain only minimal records necessary for compliance

Failure to comply may trigger regulatory enforcement under the NDPA or GDPR.

Common Misconceptions About the Right to Be Forgotten

“Everything about me must be erased.”
No. Only data meeting legal erasure conditions qualifies.
“Erasure applies instantly.”
Organizations are allowed a reasonable response period.
“Erasure removes all online traces.”
Some data may remain where legal exemptions apply.

Frequently Asked Questions (FAQs)

Q1. Is the Right to Be Forgotten available in Nigeria?
Yes. The NDPA grants individuals the right to request deletion of personal data under defined conditions. (ndpc.gov.ng)

Q2. Can organizations refuse my request?
Yes, but only if a valid legal exception applies. They must explain the reason clearly.

Q3. Does erasure apply to backups?
Organizations must ensure erased data is not restored or reused from backups beyond permitted retention periods.

Q4. Can I complain if erasure is denied?
Yes. You may report the issue to the NDPC or pursue legal remedies where harm occurs. (gdprinfo.eu)

Why the Right to Be Forgotten Matters

The Right to Be Forgotten reflects a modern understanding of privacy — one that recognizes people evolve, circumstances change, and data should not follow individuals indefinitely without justification.

It:

Reduces long-term digital harm
Promotes responsible data retention
Reinforces accountability for organizations
Protects dignity and personal autonomy

Final Thoughts

The Right to Be Forgotten is not about rewriting history — it is about fairness, relevance, and proportionality in data use. Under the NDPA and GDPR, individuals have meaningful control over when their personal data should no longer exist in active systems.

By understanding when and how to demand erasure, you can protect yourself from unnecessary exposure, reputational harm, and unlawful processing. In a digital world that never forgets by default, this right ensures that the law sometimes can.