Guidance for Data Brokers

How We Submit and Manage Deletion Requests on Behalf of Individuals

We act on behalf of individuals to exercise their data protection rights under the UK GDPR and EU GDPR. This page explains how deletion (Right to Erasure) requests submitted by us should be handled, and what organisations can expect when receiving such a request.

1. Requests Submitted by an Authorised Agent

Deletion requests may be submitted by us as an authorised representative of the data subject. Each request is supported by a valid Letter of Authority (LOA), which confirms that we are entitled to act on the individual’s behalf.

Regulatory guidance confirms that organisations must accept GDPR requests submitted by third parties, provided appropriate authorisation is supplied.

2. Scope of the Request

Our requests are made under Article 17 Right to Erasure (also known as the right to be forgotten) of the UK GDPR / EU GDPR.

We do not request access to personal data. We request Deletion of personal data; or where deletion is not lawful possible:

  • the restriction of processing in line with Article 18, and

  • the objection of processing of personal data for all purposes afforded by Article 21 of the above.

3. Identifiers Provided

Each request includes one or more identifiers (such as confirmed email addresses) that the individual has authorised for use. All details are included in the Letter of Authority attached to each request.

Organisations are expected to locate and act upon all personal data linked to the individual, including (but not limited to) data associated with:

  • Contact Info: Name, address, phone, email.

  • Identification: ID numbers, driver's license, passport info.

  • Online Identifiers: IP addresses, cookie IDs, usernames, device IDs.

  • Demographics: Age, gender, date of birth, marital status.

  • Financial: Salary, bank details, credit card numbers.

  • Employment / Education: Job history, qualifications, training records.

  • Location: GPS data, location history.

  • Physical / Behavioral: Photos, voice recordings, work times. 

  • Racial or Ethnic Origin.

  • Political Opinions.

  • Religious or Philosophical Beliefs.

  • Trade Union Membership (or lack of membership).

  • Health Data: Medical conditions, treatments, symptoms.

  • Genetic Data.

  • Biometric Data: (including for identification).

  • Sex Life or Sexual Orientation.

  • Criminal Convictions & Offences. 

If another identifier is used as the primary key within your systems, it should also be included in the search.

4. Deletion and Restriction Expectations

The individual’s preference is for permanent deletion of their personal data.

Where an organisation believes it has a valid legal obligation or lawful basis to retain some data:

  • The request should be treated as an objection to processing (Article 21), and

  • Processing should be restricted under Article 18, except where retention is strictly required by law.

Restricted data must not be actively processed, shared, sold, or otherwise reused.

5. Suppression

If technically possible you may apply a supression to prevent the subject of the request from being reaquired into your systems. If this is possible then you can opt to include this fact in your response to us.

By confirming supression you must ensure that:

  • The individual’s data is not reintroduced into active datasets,

  • No further processing takes place,

  • The data subject cannot be re-identified for any reason including commercial or operational use.

Where suppression is applied, we will not submit further deletion requests for the duration of the suppression period (up to 7 years or your standard suppression period, whichever is shorter).

6. Confirmation of Outcome

There are two methods you can use to confirm deletion, either replying to the request we sent you just adding the simple statement of ‘deletion confirmed’ or by filling in the linked form attached to the email we sent you. Note, the form will be hosted on our sub-domain forms.guardID.app and will be secured via https. We take security seriously and our entire domain (inclduing all sub-domains) is set to only accept https traffic (no http) with HSTS & HSTS Preload configured.

7. Verification and Proportionality

In many cases; particularly where data was not collected directly from the individual; requests for additional verification may be unnecessary. GDPR requires that verification steps be proportionate and not create undue barriers to exercising data protection rights.

We reserve the right to escalate undue and unneccessary additional verification to the Information Commissioner or other regulatory authorities to seek intervention if we deem the verification to be disproportionate to the requests we make on behalf of our clients.

It is the view of guardID that companies who request verification beyond our Letter of Authority for data that was aquired by them without verification from the data subject is manifestly disproportionate and is being completed with the primary aim of reducing the amount of data shrinkage by making deletion harder for the data subject (or an agent acting lawfully on their behalf).

8. Record Keeping and References

Each request includes a unique reference identifier. Organisations should quote this reference in any correspondence to ensure accurate tracking and closure of the request.

9. Regulatory Context

We may share correspondence or outcomes with relevant supervisory authorities where this is necessary to protect the interests of the individual or to clarify regulatory expectations.

Our aim is to ensure deletion and restriction requests are handled efficiently, transparently, and in line with data protection law.

10. Correspondence use for Transparency & Marketing

To promote transparency, accountability, and industry understanding of data protection practices, we may use excerpts from correspondence received from data brokers, data controllers, or other third parties in our communications and marketing materials.

We may reference, use or quote:

  • Written responses to deletion, suppression, or restriction requests,

  • Explanations of processing practices or legal positions,

  • Confirmations of deletion or suppression,

  • General commentary on compliance processes or timelines.

When using such correspondence:

  • All personal data relating to individuals is removed or irreversibly redacted, including names, email addresses, identifiers, and case references,

  • No information capable of identifying a data subject is ever published,

  • Internal request identifiers and correspondence metadata are removed.

However:

  • We may retain and display the name of the responding organisation (for example, the data broker or data controller), where this is relevant to understanding industry practices or outcomes,

  • Individual employees, officers, or representatives of an organisation are not identified.

Correspondence is used solely for purposes such as:

  • Educating consumers and organisations about data protection rights,

  • Demonstrating real-world responses to erasure and restriction requests,

  • Highlighting variations in industry compliance approaches,

  • Promoting best practice and accountability within the data ecosystem.

Any such use is limited to what is necessary, proportionate, and fair, and is consistent with applicable data protection law, including principles of minimisation and transparency.

Use of correspondence does not imply endorsement, criticism, or regulatory findings unless explicitly stated. Excerpts are presented to illustrate processes and outcomes, not to attribute intent or legal conclusions.

If an organisation has concerns about the use of its correspondence in this way, it may contact us using the details provided on this website. We will review all objections in good faith and assess them in line with applicable data protection and fairness obligations.

11. Premium Integrations

We know some data brokers and other companies are seeking to do right by their customers and data subjects but also would like to remove a large chunk of the work out of the SAR / Data Deletion process. As such at guardID we want to help you with automating as much of the process as possible.

To this end we offer premium integrations with our service to allow you to use our secure APIs (or other secure technologies are avaliable upon request) to automate the data lifecycle confirm removal / supression of data subjects within our member base. Moreover, we offer APIs which you can use upon aquiring new data to validate if they are a member of our service. We have found this service can help brokers minimise the costs of aquisition by eliminating wasted spend on records that will need deleting.

Note, in order to be eligible for this service we do have an application process to ensure our APIs are only used for legitimate purposes. This service also has custom pricing, reach out now to find out more. 

Email us