Sample letter for erasure requests as per Art. 17 GDPR (“Right to be forgotten”)

If the personal data that companies or other organisations (so-called controllers) have stored on you is no longer necessary for its original purpose, you have a “right to be forgotten” according to the General Data Protection Regulation. This means that you can ask the controller to delete said data.

If the controller has forwarded your data to other companies, they also have to inform them about your request for deletion.

If you want to learn more, have a look at our article about your rights under the GDPR.

How do I exercise this right?

The GDPR does not impose any requirements on how you make your request. This means that you could in principle simply write an informal letter and send it to the controller. In theory, even a phone call would do.

In most cases, however, you should use the written form, if only to be able to prove later that you have actually made a request. And while you could also state informally that you would like for your data to be deleted, we advise you to make a more formal request referring to the specific legislation. This ensures that the controller cannot talk their way out of their responsibility.

What does a letter like that have to contain?

Don’t worry, you don’t have to write this letter yourself. We have prepared a sample letter for you to copy and adapt for your purposes.

Here is our sample letter for requests for erasure according to Art. 17 GDPR. You still have to fill in the data in curly braces. You can decided whether you want all personal data concerning you to be deleted or just some. Depending on your choice, include one of the sections in [square brackets].

To Whom It May Concern:

I am hereby requesting immediate erasure of personal data concerning me according to Article 15 GDPR.

[Please erase all personal data concerning me as defined by Article 4(1) GDPR.]
[Please delete the following personal data concerning me: Specify the data to be deleted.]

I am of the opinion that the requirements set forth in Article 17(1) GDPR are fulfilled.

If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent.
In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR.

In case you have disclosed the affected personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.

If you object to the requested erasure, you have to justify that to me.

My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.

As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.

I am including the following information necessary to identify me:
Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.

If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.

Yours sincerely,
Your name

To make your life easier, you can also download the letter and use it directly with the word processor of your choice. You can choose between the following templates:

You are free to use these templates as you like. We make them available to you under a CC0 license. The templates for LibreOffice and Word are based on this LibreOffice template.

To whom do I send the letter?

You send the letter directly to the controller. If they have a data protection officer, we recommend that you always address the letter directly to this person. Data protection officers are not only specially trained, but are also required to treat your request confidentially.

You can often find the contact details of companies and other organisations on their websites in the privacy policy or in the legal notice. We want to help you with this, too. We maintain a company database which already contains the appropriate contact data for privacy-related requests for many companies.

Isn’t there an easier way?

The idea behind Datenanfragen.de is to make it as easy as possible for you to exercise your rights regarding data protection. Therefore we have developed a generator, with which you can create requests like this automatically. We invite you to give it a try.