Right of Access and Erasure Request under the General Data Protection Regulation (GDPR)
Dear [Name of the company or organization],
The General Data Protection Regulation (GDPR) grants European citizens a right to demand a copy of their information under Article 15 and a right to data erasure (the right to be forgotten) under Article 17.
I am worried that your organization may be putting my personal data at risk of exposure or that you may already have breached your obligation to keep my personal information safe.
I request access to all personal data you hold that relates to me pursuant to Article 15 of the General Data Protection Regulation.
In addition, I would like you to address the following, especially as it relates to my data:
-
the purposes of your processing;
-
the categories of personal data concerned;
-
the recipients you have disclosed my personal data to, and what data has been disclosed to them;
-
your retention period for storing the personal data or, where this is not possible, your criteria for determining how long you will store it;
-
how I can request rectification, erasure or restriction or object to your data processing;
-
information about the source of the data, where it was not obtained directly from me;
-
the existence of automated decision-making (including profiling); and
-
the safeguards you provide if you transfer personal data to a third country or an international organization.
I believe most of the personal data you are processing is no longer necessary to store for the purpose which you originally collected or processed it for. I withdraw my consent for you to process data about that is not absolutely necessary to continue providing me with services I use or have paid for.
On this basis, I ask that you delete all personal data about me you are unnecessarily storing as soon as a copy of said data has been delivered to me. I ask for a final confirmation when this has been done. You may keep data which is strictly necessary to keep my customer account with you and to comply with laws, if such compliance is compulsory, and to keep providing me services and products I actually use. Everything else should be deleted. I ask for a final confirmation when this has been done.
If you do not wish to delete said data, I ask you to state the reasons with precise reference to law and relevant articles in the data protection regulation, so that I have the necessary background information should I choose to lodge a complaint with the Data Protection Authority (DPA).
I also ask that you advise which data has not been deleted to maintain my customer account, continue providing me with services or comply with relevant laws, so that I may complain or ask for correction of said data, if what you decide to keep seems excessive.
I ask that you send me the information in a secure manner so that this request does not lead to further consequences in regards to my personal information. In accordance with Article 12, I expect a response to my request without undue delay and in any event within one month of receipt.
I look forward to receiving your reply.
Best regards,
[Your Name]