How do I make a company delete my data (right to erasure)?
Last updated: 2026-07-12 ยท Educational content; not legal advice.
Short answer
You have a legal right to demand deletion. RA 10173 (Data Privacy Act) ยง16(e) lets any data subject order the blocking, removal, or destruction of their personal data when it is incomplete, outdated, false, unlawfully obtained, used beyond the purpose you agreed to, or no longer necessary. Put the request in writing to the company's Data Protection Officer โ every controller must designate one โ identify yourself, and specify exactly what to delete. The law sets no fixed day-count, but a controller has a duty to act within a reasonable period; if it refuses, or keeps data it no longer needs, file a complaint with the National Privacy Commission (NPC), which can order deletion, impose fines, and refer the case for prosecution.
Primary sources
Frequently asked
How do I actually send the request?
In writing to the company's Data Protection Officer (DPO). Identify yourself, list the exact data to delete, cite RA 10173 ยง16(e), and keep dated proof of sending (email or registered mail). A controller has a legal duty to act on a valid data-subject request.
Can they refuse to delete everything?
Partly. They may keep the minimum data a law requires them to retain (e.g., tax, anti-money-laundering, or records needed to enforce a live contract), but they cannot keep excess or unlawfully collected data indefinitely. Anything outside a genuine legal retention rule must go.
What if they ignore me or say no?
File a complaint with the NPC. It can order deletion, issue a compliance or cease-and-desist order, impose administrative fines, and refer the matter for criminal prosecution under RA 10173.
Take action
Got a similar problem?
File a complaint and we'll pre-fill BSP, SEC, DTI, and small-claims letters for you.
Contact-list scraping, unauthorized data use, and how to file with the NPC.