If the personal data that companies or other organisations (so-called controllers) have stored on you is no longer necessary for its original purpose, you have a “right to be forgotten” according to the General Data Protection Regulation. This means that you can ask the controller to delete said data.
If the controller has forwarded your data to other companies, they also have to inform them about your request for deletion.
If you want to learn more, have a look at our article about your rights under the GDPR.
How do I exercise this right?
The GDPR does not impose any requirements on how you make your request. This means that you could in principle simply write an informal letter and send it to the controller. In theory, even a phone call would do.
In most cases, however, you should use the written form, if only to be able to prove later that you have actually made a request. And while you could also state informally that you would like for your data to be deleted, we advise you to make a more formal request referring to the specific legislation. This ensures that the controller cannot talk their way out of their responsibility.
What does a letter like that have to contain?
Don't worry, you don't have to write this letter yourself. We have prepared a sample letter for you to copy and adapt for your purposes.
Here is our sample letter for requests for erasure according to Art. 17 GDPR. You still have to fill in the data in curly braces. You can decide whether you want all personal data concerning you to be deleted or just some. Depending on your choice, include one of the sections in [square brackets].
To Whom It May Concern:
I am hereby requesting immediate erasure of personal data concerning me according to Article 17 GDPR.
[Please erase all personal data concerning me as defined by Article 4(1) GDPR.]
[Please delete the following personal data concerning me: Specify the data to be deleted.]
I am of the opinion that the requirements set forth in Article 17(1) GDPR are fulfilled. You cannot claim an expection based on Article 17(3) GDPR either, particularly as I am not a public figure.
If I have given consent to the processing of my personal data (e.g. according to Article 6(1) or Article 9(2) GDPR), I am hereby withdrawing said consent for the entire process.
In addition, I am objecting to the processing of personal data concerning me (which includes profiling), according to Article 21 GDPR. I request that you restrict the processing of the data concerning me pending the verification whether your legitimate grounds override mine, pursuant to Art. 18(1)(d) GDPR.
If you have made the aforementioned data public, you are obliged pursuant to Article 17(2) GDPR to take all reasonable steps to inform other controllers, including search engine operators, who process the personal data listed above, that I have requested the erasure of all links, copies or replications. This applies not only to exact copies of the data concerned, but also to those from which information contained in the data concerned can be derived.
In case you have disclosed the affected personal data to third parties, you have to communicate my request for erasure of the affected personal data, as well as any references to it, to each recipient as laid down in Article 19 GDPR. Please also inform me about those recipients.
If you object to the requested erasure, you have to justify that to me.
My request explicitly includes any other services and companies for which you are the controller as defined by Article 4(7) GDPR.
As laid down in Article 12(3) GDPR, you have to confirm the erasure to me without undue delay and in any event within one month of receipt of the request.
I am including the following information necessary to identify me:
Enter your identification data here. This often includes information like your name, your date of birth, your address, your email address and so on.
If you do not answer my request within the stated period, I am reserving the right to take legal action against you and to lodge a complaint with the responsible supervisory authority.
Thank you in advance.
To make your life easier, you can also download the letter and use it directly with the word processor of your choice. You can choose between the following templates:
To whom do I send the letter?
You send the letter directly to the controller. If they have a data protection officer, we recommend that you always address the letter directly to this person. Data protection officers are not only specially trained, but are also required to treat your request confidentially.
Isn't there an easier way?
The idea behind Datenanfragen.de is to make it as easy as possible for you to exercise your rights regarding data protection. Therefore we have developed a generator, with which you can create requests like this automatically. We invite you to give it a try.
We have made the following changes to this sample letter since the initial publication:
- April 18, 2020: Mention that the expections of Art. 17(3) GDPR don't apply either. (The burden of proof here lies with the controller.) Clarify that the withdrawal of consent applies to the entire process. Use the right to restriction of processing (Art. 18(1)(d) GDPR) for the duration of any ambiguities in case the controller objects to our objection. Make use of the information obligation stemming from Art. 17(2) GDPR. More consistent style between all templates. (Thanks, Andreas!)