Helpious LogoHelpious

What happens if a business refuses to delete my data in Australia?

Answer

You have the right to file a formal complaint if a business refuses to delete your personal data in Australia. Under the Privacy Act 1988, businesses must take reasonable steps to destroy or de-identify personal information they no longer need, unless a specific legal exception applies.

Office of the Australian Information Commissioner (OAIC)
R
Robert JasonContent Researcher
Verified
Last UpdatedMay 3, 2026

Was this helpful?

2 readers found this helpful

How it works in practice

You have strong legal protections regarding how businesses handle and retain your personal information.

Understanding Data Deletion Rights

In Australia, the handling of your personal data is strictly regulated by the Privacy Act 1988 and the Australian Privacy Principles (APPs). Under APP 11, if an organization holds your personal information and no longer needs it for any purpose for which it was collected, they must take reasonable steps to destroy or definitively de-identify it.

When A Business Refuses

If a business refuses your request to delete your data, they are required to provide you with a valid reason. They cannot simply ignore your request or arbitrarily deny it. They must clearly outline the legal or operational necessity that legally compels them to retain your personal information.

Escalating Your Complaint

If you believe the business is holding onto your data without a valid legal reason, your first step is to complain directly to the company's designated privacy officer. By law, they must respond within 30 days. If they fail to respond appropriately or ignore you, you have the right to escalate the matter to the Office of the Australian Information Commissioner (OAIC) for a formal investigation.

Important exceptions

There are several important exceptions where a business can legally refuse to delete your data in Australia.

A business is not required to destroy your information if it is still needed for the purpose it was originally collected, such as maintaining an active account or fulfilling an ongoing service contract.

Additionally, organizations are legally required to retain certain records under other Australian laws. For example, financial institutions must keep transaction histories for anti-money laundering compliance, and healthcare providers are mandated to retain medical records for a specific number of years.

What you should do now

  1. Review the business's official privacy policy to find the contact details for their designated privacy officer.

  2. Send a formal, written request asking the business to delete or de-identify your personal information.

  3. Wait up to 30 days for the business to process your request and provide a formal written response.

  4. Request a written explanation outlining their specific legal or operational reasons if they refuse to delete your data.

  5. Lodge a formal privacy complaint with the Office of the Australian Information Commissioner (OAIC) if the issue remains unresolved.

Expert Notes

No expert notes have been added to this question yet.

People also asked

Explore highly relevant questions and get instant verified short answers.

Can't find an answer?
Submit your question below. If we publish an answer, it will appear in the "People also asked" section on this page.

We'll notify you if your question is answered. We won't use your email for anything else.