GDPR Data Request Letter

Pick which GDPR right you're exercising (access, erasure, rectification, portability, restriction, objection). The letter cites the right Article and sets the 30-day timeline.

PDF + Word output
Template — not legal advice

This is a template, not legal advice. The document is generated entirely in your browser from a generic template — UtilityApps does not review it, and we are not a law firm. Before signing, filing, or sending it, have it reviewed by an attorney licensed in your jurisdiction. Laws differ between countries, states, and even cities.

Ad slot · DEV-TOP · horizontal

Request typeWhich GDPR right are you exercising?

You (the data subject)Full legal name*Postal addressEmail*How they can identify your account

e.g. customer number, registered email, order ID. The more they can tie you to a record, the less likely they ask for ID.

RecipientCompany name*Postal address

The company's data protection contact; check their privacy policy for the right address.

Privacy / DPO email*

Live preview Renders the same as your downloads

GDPR Data Subject Request

From Jane Doe to Acme Inc.

Dated: 10 June 2026

1. Recipient

To: Data Protection Officer / Privacy Team

Acme Inc.

Data Protection Officer, Acme Inc., 456 Corporate Blvd, Dublin 2, Ireland

Via email: privacy@acme.example

2. Subject

Data Subject Request — Access (Article 15)

3. Introduction

Dear Sir/Madam,

I am writing to make a formal request as a data subject under the EU/UK General Data Protection Regulation (the "GDPR").

4. 1. My request

I request a copy of all personal data you hold about me, in accordance with my right of access under Article 15 of the GDPR. Please provide: the categories of personal data processed; the purposes of processing; the recipients or categories of recipients to whom my data has been disclosed; the retention periods; the source of the data if not collected from me; and a copy of the personal data undergoing processing.

5. 2. My identity

My name: Jane Doe

Address: 123 Main Street, London, EC1A 1BB, UK

Email: jane@example.com

My customer account is associated with the email jane@example.com.

I include the above information to help you identify my records. Please request additional identity verification only if it is strictly necessary to fulfil this request, and provide reasoning if so.

6. 3. Response timeline

Please confirm receipt of this request promptly. Under Article 12(3) of the GDPR you are required to provide a response without undue delay and in any event within one calendar month of receipt. If you require an extension, you must notify me within that period and explain the reasons.

If you do not intend to comply, please explain your reasons and inform me of my right to complain to a supervisory authority and to seek a judicial remedy.

7. 4. Format and delivery

Please send your response by email to jane@example.com, and where applicable include a written summary.

8. 5. No fee

Article 12(5) of the GDPR provides that responses to data subject requests must be provided free of charge, except where requests are manifestly unfounded, excessive, or repetitive. I do not consider this request to fall within those categories.

9. 6. Closing

Thank you for your prompt attention to this request.

Yours faithfully,

Jane Doe

Dated: 10 June 2026

10. Important — not legal advice

This document was generated from a template by UtilityApps (utilityapps.site). It is provided as-is, with no warranty, and is not legal advice. Laws and required clauses vary by jurisdiction and situation. Before relying on this document, have it reviewed by a lawyer licensed in your jurisdiction.

Ad slot · DEV-BOTTOM · horizontal

Your six GDPR rights, summarised

Article 15 — Access: confirm what they hold and get a copy.
Article 16 — Rectification: have inaccurate data corrected.
Article 17 — Erasure (“right to be forgotten”): ask for your data to be deleted.
Article 18 — Restriction: pause processing while you contest accuracy or grounds.
Article 20 — Portability: receive your data in a machine-readable format you can give to another service.
Article 21 — Objection: object to processing — including an absolute right to opt out of direct marketing.

The one-month clock

Article 12(3) gives the recipient one calendar month from receipt to respond. They can extend by two more months for complex requests but only if they notify you within the first month with reasons. After the deadline, you can complain to your national supervisory authority (the ICO in the UK, the CNIL in France, etc.) — and they do take complaints seriously.

Identity verification

Companies sometimes ask for ID before responding. The GDPR allows this only when strictly necessaryto verify you. Giving them your customer email, account number, or order ID usually identifies you well enough. Refuse blanket requests for passport scans unless they genuinely can’t identify you any other way.

Where to send it

Most companies publish a privacy contact in their privacy policy — usually privacy@company.com or a DPO (Data Protection Officer) at dpo@company.com. Email is fine and creates a timestamped record. Keep a copy of what you sent.

Frequently asked

Questions about this tool

What is a GDPR Data Subject Request?

Under the EU/UK General Data Protection Regulation, you (the data subject) have the right to ask any organisation that holds your personal data to (a) confirm what they hold, (b) provide a copy, (c) delete it, (d) correct it, (e) port it to another service, or (f) restrict its processing. The request must be answered within one calendar month.

Which request type should I pick?

Article 15 (Access) — to see what they have. Article 17 (Erasure / 'right to be forgotten') — to delete. Article 16 (Rectification) — to correct inaccurate data. Article 20 (Portability) — to receive a machine-readable copy. Article 18 (Restriction) — to pause processing while you contest it. Article 21 (Object) — to stop direct marketing.

Where do I send it?

The organisation's privacy contact email is the simplest — most companies publish a privacy@company.com or list a DPO (Data Protection Officer) in their privacy policy. The letter can be sent by email or post; email is fine. Keep a dated copy of what you sent.

Is my data sent to a server?

No. The form, the document generation, and the PDF/Word file all run entirely in your browser. Nothing you type leaves your device. You can disconnect from the internet after the page loads and the tool still works.

Is this legal advice?

No. UtilityApps is not a law firm and these tools generate generic templates from form input — they do not constitute legal advice and do not create an attorney-client relationship. Laws and required clauses vary widely by jurisdiction and situation. Before signing, sending, or filing the document, have it reviewed by an attorney licensed in the relevant jurisdiction.

More legal tools

Related tools

Legal Tools

Privacy Policy Generator

Generate a GDPR/CCPA-aware privacy policy from a short form — download as PDF or Word.

New Trending659 users/month

Legal Tools

Terms of Service Generator

Build a terms-of-service contract for your site or app — pick clauses, download as PDF or Word.

New Trending1679 users/month

Legal Tools

Cookie Policy Generator

Build a cookie policy listing the categories you use — strictly necessary, analytics, advertising, social.

New1255 users/month

Legal Tools

NDA Generator

Generate a Non-Disclosure Agreement — mutual or one-way — with custom parties, term and jurisdiction.

New Trending1468 users/month

Legal Tools

Freelance Contract Generator

Independent-contractor agreement with scope, payment, IP, kill fee and governing law — PDF or Word.

New Trending1989 users/month

Legal Tools

DMCA Takedown Notice Generator

Generate a §512(c)(3)-compliant takedown notice with all six required elements.

New1030 users/month

Legal Tools

Cease and Desist Letter

Formal cease-and-desist letter template for trademark, copyright, defamation, harassment or breach claims.

New1115 users/month

4. 1. My request

5. 2. My identity

My name: Jane Doe

Address: 123 Main Street, London, EC1A 1BB, UK

Email: jane@example.com

My customer account is associated with the email jane@example.com.

I include the above information to help you identify my records. Please request additional identity verification only if it is strictly necessary to fulfil this request, and provide reasoning if so.

6. 3. Response timeline

If you do not intend to comply, please explain your reasons and inform me of my right to complain to a supervisory authority and to seek a judicial remedy.

Your six GDPR rights, summarised

Article 15 — Access: confirm what they hold and get a copy.

Article 16 — Rectification: have inaccurate data corrected.

Article 17 — Erasure (“right to be forgotten”): ask for your data to be deleted.

Article 18 — Restriction: pause processing while you contest accuracy or grounds.

Article 20 — Portability: receive your data in a machine-readable format you can give to another service.

Article 21 — Objection: object to processing — including an absolute right to opt out of direct marketing.

The one-month clock

Identity verification