The question has two halves, and they collapse when asked together. Removing your data from brokers is legal under GDPR Article 17. Brokers holding it in the first place often is not — they rely on "legitimate interest," and most of the time that claim fails a proper balancing test.
This is the short answer. The long answer requires separating two different legal questions, looking at the specific GDPR mechanics that apply, and being honest about where brokers resist and what happens when they do.
Two questions in one
When someone asks whether data broker removal is legal, they usually mean one of two things.
Can I require a broker to delete my data? Yes, under Articles 17 and 21 of the GDPR — and, in the United Kingdom, under the UK GDPR, which retains these rights post-Brexit.
Is it legal for a broker to have collected and held that data without asking me? Often no. Their standard justification is Article 6(1)(f) — "legitimate interest" — which requires a balancing test that commercial aggregation of personal data frequently fails.
The first question is the one you can act on directly. The second is what gives the first its force.
Your right to erasure — GDPR Article 17
Article 17 of the GDPR establishes the right to erasure — commonly called the "right to be forgotten." It applies when:
- The data is no longer necessary for the purposes it was collected (17(1)(a));
- You withdraw the consent it was based on, and there is no other legal basis (17(1)(b));
- You object under Article 21 and there are no overriding legitimate grounds (17(1)(c));
- The data has been unlawfully processed (17(1)(d)).
For a data broker scraping public records and commercial sources to build a profile of you, 17(1)(c) is the usual route. You object. The broker must then demonstrate compelling legitimate grounds that override your rights. In practice, aggregate commercial profiling of named individuals rarely clears that bar.
The landmark precedent is Google Spain v AEPD (C-131/12, 13 May 2014) — predating the GDPR but establishing the principle under its predecessor directive. Later CJEU judgments, including GC and Others v CNIL (C-136/17, 24 September 2019), have extended and refined it.
Your right to object — GDPR Article 21
Article 21 is often the cleaner path. When a broker relies on legitimate interest under Article 6(1)(f), you have the right to object to processing. Once you object, the controller must stop processing your data unless it can demonstrate "compelling legitimate grounds" that override your interests, rights, and freedoms.
The burden of proof sits with the broker. The default, on objection, is that processing must cease.
Article 21(2) goes further for direct marketing: your right to object there is absolute. No balancing test. No counter-claim. If a broker is processing your data for marketing purposes — as many are, directly or via downstream buyers — Article 21(2) ends the processing on request.
What "legitimate interest" actually requires
Brokers almost always cite Article 6(1)(f) as their legal basis. The three-part test for legitimate interest, as articulated by the European Data Protection Board and its predecessor the Article 29 Working Party, is:
- The interest pursued must be legitimate — lawful, specific, and real.
- The processing must be necessary for that interest.
- The interest must not be overridden by the rights and freedoms of the data subject.
Commercial aggregation fails the third test more often than brokers will concede. Aggregating names, addresses, phone numbers, employer histories, and inferred traits into marketable profiles — without the knowledge of the individuals concerned — creates a privacy impact hard to reconcile with individual rights. Articles 7 and 8 of the EU Charter of Fundamental Rights frame those rights explicitly.
This is why, when you object formally, the broker typically removes you rather than defend the balancing test in writing. They know where the balance tips.
Can a service file these requests on your behalf?
Yes. Data subject rights are delegable.
A third party — a privacy firm, law firm, or family office — can submit erasure and objection requests on your behalf with a signed mandate. This is explicitly contemplated in Article 80, which provides for representation by a not-for-profit body, and more generally in the standard civil mechanism of proxy representation.
The practical form is a signed authorisation letter or power of attorney identifying the data subject, the authorised representative, and the scope of the mandate. The broker is obliged to verify identity under Article 12(6) but cannot refuse to engage with a representative simply because the request does not come from the data subject directly.
This is how full-removal services operate legally. The service is not exercising its own rights — it is exercising yours, under your explicit mandate.
When a broker refuses — the supervisory authority path
Some brokers delay. Some ignore. Some reply with templates that do not address the request.
Article 12(3) sets the response clock: one month from receipt, extendable by a further two months for complex requests, with notice to the data subject. Beyond that, a controller that fails to respond or refuses unjustifiably has violated its obligations under the GDPR.
The remedy is a complaint to the supervisory authority under Article 77. Every EU and EEA state has one. The authority will open a procedure, contact the broker, and — where a violation is confirmed — may issue corrective orders under Article 58 or administrative fines up to 4% of global annual turnover under Article 83.
Enforcement is not theoretical. The Dutch Autoriteit Persoonsgegevens fined Clearview AI €30.5 million in May 2024 for unlawful facial recognition scraping, with a conditional penalty of up to €5.1 million for non-compliance. The French CNIL issued a €20 million fine against the same company in October 2022. The UK ICO acted in 2023. Different regulators, same pattern: commercial scraping without a viable legal basis does not survive scrutiny.
Country nuances — UK, Germany, Netherlands, France
The substantive rights are uniform across the EU and, for practical purposes, the United Kingdom. Procedural differences matter.
Netherlands. The Autoriteit Persoonsgegevens (AP) is the national supervisory authority. Complaints can be filed in Dutch or English. The AP has been notably active in enforcement against data brokers and scraping operations.
United Kingdom. The UK operates under the UK GDPR, a post-Brexit retention of the European GDPR, enforced by the Information Commissioner's Office (ICO). The rights under Articles 17 and 21 are retained verbatim. The ICO's complaint procedure is accessible and well-documented.
Germany. Germany has a federated DPA structure — 17 supervisory authorities: one for each of the 16 Länder, plus the federal BfDI for telecommunications and federal bodies. Complaints are made to the DPA of the data subject's residence. The substantive rights are identical.
France. The CNIL is the national supervisory authority. France has historically taken an assertive stance on data broker enforcement, including the Clearview fine noted above.
What this means practically
You can demand removal. The broker can refuse, but the GDPR gives you a two-step escalation — direct request, then supervisory authority complaint — that, across a population of 150+ brokers, delivers results.
The slow part is execution. Identifying every broker holding your data, drafting requests that cite the correct article and anticipate the broker's standard objections, tracking the one-month response window, and escalating non-compliance — is a documentation exercise, repeated at scale.
That is the work. The legality is settled.