Use these templates to exercise your GDPR rights as a European citizen. Feel free to adapt as you like.
It is adviseable in most cases to first ask for access to your data, then send an erasure request separately after having looked at what you got, if you believe the company or organization is storing excessive amounts of personal data on you. You may send these templates in a letter by ordinary mail or by email. I would recommend sending the request by ordinary mail and including a copy of your passport as well as any information you have that may help them identify your data, such as current or previous email addresses and phone numbers.
However, it may also be appropriate to use the combined claims if you are confident that the organization you are filing the request with will treat it in a thorough and reliable manner.
Access-my-data.md
Use this to demand a copy of all your data.
Delete-my-data.md
After reviewing the data, use this template to demand that the company delete parts of (or all) your data.
Correct-my-data.md
After reviewing the data, use this template to demand that the company change incorrect information about you (data rectification).
Move-my-data.md
Ask for your data to be moved to a different company or organization.
Deliver-my-data-then-erase-what-you-do-not-need.md
Combined access and erasure request, asking the company to delete all data not strictly needed to maintain your customer account and services you use or have paid for.
Deliver-my-data-then-erase-everything.md
Combined access and erasure request, asking the company to deliver all data, then delete it.
Tracking-and-3rd-parties-extra.md
Add and adapt this if you want information on behavioural tracking and data supplied by third parties, for example from their contact list.
DPA-complaint.md
If you are not satisfied with their response, you can complain to your national Data Protection Authority (DPA).
I've gathered mailing addresses of some of the largest companies that collect your data. Please contribute with other relevant addresses if you know which ones are appropriate to use.
It is usually better to send a manual claim either in addition to or instead of requesting a download, as automated data gathering does not necessarily provide all personal information a company may be storing.
The possibility to download your data is usually not available if you do not currently hold an account. Even though some companies claim the opposite, one nevertheless does have the right to access and erasure even when the account has been closed, if the company in question keeps all or parts of your information, be it in an anonymized form or not. Companies need to make an effort to identify that you are the right person if they hold data on you. For instance, if you still have access to the email address you used or any phone numbers they still have on file or your name/birth date is unique and matches your passport, they should be able to treat your claim.
Some companies, like Amazon, will try and convince you that "most" of your information can be accessed through your personal pages, and will only treat these requests after you insist. Many companies will point you in the direction of a general legal statement instead of addressing your questions, and will only give you a list of third parties they have shared your information with after you insist/complain to the local Data Protection Authority.
The European Commission has a list of local DPAs who will receive and treat your complaint if you are dissatisfied with how your request is treated.
Use our template and adapt, by specifying what you are dissatisfied with, or by also citing provisions of the GDPR, available in a convenient and accessible form in English or from EUR-Lex in different languages.
For more information on the GDPR, see the ICO website.