How to request right to erasure under GDPR (with email template)

The European Data Protection Regulation which came into effect in 2018 gives its citizens and residents certain rights over their data.

One such right is the right to erasure, often referred to as right to be forgotten. Article 17 of GDPR reads:

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

[...]

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

For most accounts, expressing withdrawal of consent represents sufficient basis for erasure of one's data. There are some exceptions where companies are required by law to keep records for several years (e.g.: banks).

How to request erasure of your data

Companies who hold data for European subjects are required appoint a Data Protection Officer. Among other things, the DPO interfaces with data subjects with regards to data erasure requests. They are also required to make the contact details of the DPO available on their website. This information can be found on the website's privacy policy.

Bingo, DPO.

A quick ⌘-F and searching for the strings [email protected], [email protected], [email protected], [email protected] or [email protected] will usually get you the email you're looking for.

Do this for every company for which you plan to request erasure of your data. Armed with your list of DPO addresses, you may now send your request.

Here's a template email I used successfully.

Hello,

In accordance with Article 17 of the European General Data Protection Regulation, please proceed to the erasure of my personal data without undue delay.

- Account information, including my name, date of birth, e-mail address, billing/shipping address, phone number, and stored payment card data.
- User-generated content, which may include things such as photos, tracked activities, statistics, comments, or messages.
- Store or Site Data, which may include information on past orders, product reviews, comments in forums, comments on website content.
- Customer Service Contacts, if I have contacted customer service in the past to resolve any issues, any contact history.
- Marketing tracking or behavior data, which may include things such as open and click rate, website user behavior, browser user agent, user preferences, inferred user behavior, etc.

Accounts may be associated with the following login credentials.

Email addresses: [list your email addresses]
Phone number: [list your email phone numbers]
User name: [list your user names]

Please confirm when this operation has been completed.

In my experience, most companies respond within a few days confirming they have deleted your data. Some may ask you to go to their website and go through the account deletion process.

Disclaimer: I'm not a lawyer. This should not be taken as legal advice.

Author

Sebastien Couture

Host at Epicenter, a podcast which explores the current state and potential future of the blockchain and cryptocurrency industry.

View Comments