Australia

I asked a company to delete my personal data but they refused. Do they have to comply?

APP 12
Access right
APP 13
Correction right
72 hours
Response time
OAIC
Oversight body
The Short Answer

Yes, in most cases Australian companies must comply with a valid request to delete your personal data under the Privacy Act 1988, unless an exception applies.

What the Law Says

The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how organisations handle personal information. While there is no standalone 'right to erasure' like in the GDPR, APP 11 (Security of personal information) and APP 12–13 (Access and correction) — together with organisational obligations under APP 1 (Open and transparent management of personal information) — require entities to take reasonable steps to destroy or de-identify personal information that is no longer needed for any purpose permitted by the Act.

Under APP 11.2, an organisation must take reasonable steps to destroy or de-identify personal information it holds if it is no longer needed for any purpose for which it may be used or disclosed under the APPs.

APP 12 gives you the right to request access to your personal information; APP 13 lets you request correction. Though neither explicitly says 'delete', if information is inaccurate, irrelevant, or no longer necessary — and you withdraw consent where it was the basis for collection — continued retention may breach APP 11.2.

The Office of the Australian Information Commissioner (OAIC) states that 'destruction' includes permanent deletion from digital systems and physical destruction of records.

Statutory Text

An organisation must take reasonable steps to destroy or de-identify personal information it holds if the information is no longer needed for any purpose for which it may be used or disclosed under the APPs.

Privacy Act 1988 (Cth), s. 11.2 — Australian Privacy Principle 11.2
Statutory Text

An individual has a right to obtain access to personal information about the individual that is held by an organisation.

Privacy Act 1988 (Cth), s. 12 — Australian Privacy Principle 12
Statutory Text

If an individual requests an organisation to correct personal information about the individual that the organisation holds, the organisation must take reasonable steps to correct the information.

Privacy Act 1988 (Cth), s. 13 — Australian Privacy Principle 13

What to Do

1

Contact the company in writing (email or letter) quoting APP 11.2 and clearly requesting deletion or de-identification of your data.

2

Allow them up to 30 days to respond — they must reply within 30 days (or explain why more time is needed).

3

If they refuse without lawful justification, lodge a complaint with the OAIC at oaic.gov.au/complaints.

4

Keep copies of all correspondence and note dates of requests and responses.

Sources

statutePrivacy Act 1988 (Cth), s. 11.2 — Australian Privacy Principle 11.2statutePrivacy Act 1988 (Cth), s. 12 — Australian Privacy Principle 12statutePrivacy Act 1988 (Cth), s. 13 — Australian Privacy Principle 13guidanceOAIC: De-identification and the Privacy Act

Same Question, Other Jurisdictions

GermanyCanadaIrelandSingaporeEuropean UnionIndiaSouth KoreaUKUS-CaliforniaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.