Rights to object, to rectification, to erasure and to restrict processing

Self-determined and free: Correct and delete data, unsubscribe from advertising

Exercise your rights: Demand a data correction or deletion!
Once your personal data is outdated or not necessary any longer, you can demand a deletion. Correcting your data is also possible, just like objecting the processing of your data. All of these rights you can exercise with an informal letter.

Below, you’ll find a sample letter as a PDF download or as a text to copy and paste into an e-mail. You’ll still have to add your address and the company’s address. If available, you can also add your customer or billing number. Please send the letter directly to the company in the end.

Important: Your request must be handled at no cost to you. Companies can only charge you in cases of unfounded or excessive, repetitive requests. If companies require a copy of a proof of identification, you can redact any information that’s not necessary for your request.

Download the sample letter:

Right to object pursuant to Article 21(2) GDPR

To whom it may concern:

Pursuant to Article 21(2) of the General Data Protection Regulation (GDPR) I object the processing of my personal data for direct marketing purposes:

Please confirm receipt of my request. In accordance with Article 12(3) GDPR, I ask for information on action taken until the following date at the latest:

In case of non-compliance with my demand, I will contact a data protection authority. Furthermore, I reserve the right to take further legal action, which may include the enforcement of claims for damages according to Article 82 GDPR.

Sincerely,

***
Notes on using this sample letter

  1. Please enter your address and the company’s address. If available, you can add your customer and/or billing number.
  2. Write down what data or data categories you object to being used for direct marketing purposes. You can also just write: “Any and all personal data.”
  3. The company needs to respond without undue delay, at the latest within one month of receipt of your request. That’s why you can enter a deadline one month and three days (for shipping) after mailing the request.
  4. Please send the letter directly to the company in question (not to consumer protection organisations or authorities).

Right to object pursuant to Article 21(1) GDPR

To whom it may concern:

Pursuant to Article 21(1) of the General Data Protection Regulation (GDPR) I object the processing of my personal data:

The following reason exists for my objection:

I object to the processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in you as the controller.

Your legitimate interests on which the data processing is based do not override my interests and my freedoms which require protection of personal data.

Please confirm receipt of my request. In accordance with Article 12(3) GDPR, I ask for information on action taken until the following date at the latest:

In case of non-compliance with my demand, I will contact a data protection authority. Furthermore, I reserve the right to take further legal action, which may include the enforcement of claims for damages according to Article 82 GDPR.

Sincerely,

***
Notes on using this sample letter

  1. Please enter your address and the company’s address. If available, you can add your customer and/or billing number.
  2. Write down what processing of data or data categories you object to. You can also just write: “Any and all personal data.”
  3. Choose why you object to the processing of your personal data.
    • Public interest: In case the data processing is done to fulfill a task in the public interest, you can object to this data processing.
    • Legitimate interest of third parties: Data controllers can process your data without your consent based on their legitimate interests. Yet, if your personal freedoms and your privacy rights override their legitimate interests, an objection to the data processing is possible.
  4. The company needs to respond without undue delay, at the latest within one month of receipt of your request. That’s why you can enter a deadline one month and three days (for shipping) after mailing the request.
  5. Please send the letter directly to the company in question (not to consumer protection organisations or authorities).

Right to rectification pursuant to Article 16 GDPR

To whom it may concern:

Pursuant to Article 16 of the General Data Protection Regulation (GDPR) I demand the following personal data to be corrected without delay:

In line with Article 19 GDPR, you are required to inform other recipients to whom personal data have been disclosed about my demand to have personal data rectified.

Please confirm receipt of my request. In accordance with Article 12(3) GDPR, I ask for information on action taken until the following date at the latest:

In case of non-compliance with my demand, I will contact a data protection authority. Furthermore, I reserve the right to take further legal action, which may include the enforcement of claims for damages according to Article 82 GDPR.

Sincerely,

***
Notes on using this sample letter

  1. Please enter your address and the company’s address. If available, you can add your customer and/or billing number.
  2. Write down what data should be corrected.
  3. The company needs to respond without undue delay, at the latest within one month of receipt of your request. That’s why you can enter a deadline one month and three days (for shipping) after mailing the request.
  4. Please send the letter directly to the company in question (not to consumer protection organisations or authorities).

Right to erasure pursuant to Article 17(1) GDPR

To whom it may concern:

Pursuant to Article 17(1) of the General Data Protection Regulation (GDPR) I demand the following personal data to be erased without delay:

The following reason exists for the deletion:

The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.

I have withdrawn my consent on which the processing was based according to point (a) of Article 6(1) or point (a) of Article 9(2), and there is no other legal ground for the processing.

I have objected to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing.

I have objected to the processing for direct marketing purposes pursuant to Article 21(2).

My personal data personal data have been unlawfully processed.

My personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.

My personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

In line with Article 17(2) GDPR, if you have made the personal data public, you are required to inform controllers which are processing the personal data that I have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Please confirm receipt of my request. In accordance with Article 12(3) GDPR, I ask for information on action taken until the following date at the latest:

In case of non-compliance with my demand, I will contact a data protection authority. Furthermore, I reserve the right to take further legal action, which may include the enforcement of claims for damages according to Article 82 GDPR.

Sincerely,

***
Notes on using this sample letter

  1. Please enter your address and the company’s address. If available, you can add your customer and/or billing number.
  2. Write down what data or data categories should be erased. You can also just write: “Any and all personal data.”
  3. Choose why you demand the deletion of your data.
    • Data not necessary any longer: If the original purpose of the data processing is not valid anymore, you can ask for the erasure of your data.
    • Withdrawal of consent: Point (a) of Article 6(1) GDPR gives your consent as a valid reason for the processing of your data. Once you have given but then withdrawn this consent, you can demand the erasure of your data. Point (a) of Article 9(2) GDPR follows the same principle, just concerning highly sensitive data such as health data.
    • Objection: If you object to the processing of your data according to Article 21(1) GDPR and data controllers can’t give any reasons overriding your objection, you can demand the deletion of your data.
    • Objection against direct marketing: If you object to the processing of your data for direct marketing purposes according to Article 21(2) GDPR and then you want your data deleted, data controllers have to follow this demand, no matter what reasons they might have for processing your data.
    • Unlawful processing: If your data has been processed unlawfully, for instance without your consent, without being based on a contractual obligation or without being in the legitimate interests of a third party, you can demand your data be deleted.
    • Erasure is necessary: Based on a contract, for example, your data might be required to be deleted, so you can demand such an erasure with this point.
    • Privacy for children: In cases when processing concerns children (based on Article 8(1) GDPR), an erasure can be demanded.
  4. The company needs to respond without undue delay, at the latest within one month of receipt of your request. That’s why you can enter a deadline one month and three days (for shipping) after mailing the request.
  5. Please send the letter directly to the company in question (not to consumer protection organisations or authorities).

Right to restriction of processing pursuant to Article 18(1) GDPR

To whom it may concern:

Pursuant to Article 18(1) of the General Data Protection Regulation (GDPR) I demand the restriction of the processing of the following personal data without delay:

The following reason exists for the restriction of processing:

I contest the accuracy of the personal data and demand a verification of the accuracy of the personal data.

The processing is unlawful and instead of an erasure of the personal data, I request the restriction of their use.

The personal data are no longer necessary for the purposes of the processing, but I require them for the establishment, exercise or defense of legal claims.

I have objected to the processing for direct marketing purposes pursuant to Article 21(2), but the verification whether the legitimate grounds of the controller override my interests is still pending.

In line with Article 19 GDPR, you are required to inform other recipients to whom personal data have been disclosed about my demand to have the processing of personal data restricted. Before the restriction is lifted, you have to inform me about this in line with Article 18(3).

Please confirm receipt of my request. In accordance with Article 12(3) GDPR, I ask for information on action taken until the following date at the latest:

In case of non-compliance with my demand, I will contact a data protection authority. Furthermore, I reserve the right to take further legal action, which may include the enforcement of claims for damages according to Article 82 GDPR.

Sincerely,

***
Notes on using this sample letter

  1. Please enter your address and the company’s address. If available, you can add your customer and/or billing number.
  2. Write down what processing of data or data categories should be restricted. You can also just write: “Any and all personal data.”
  3. Choose why you demand the restriction of data processing.
    • Accuracy contested: If you contest the accuracy of your personal data and are asking for a verification, the data processing can be restricted during this verification period.
    • Unlawful processing: If your data has been processed unlawfully, for instance without your consent, without being based on a contractual obligation or without being in the legitimate interests of a third party, you can demand your data be deleted.
    • Data not necessary any longer: If the original purpose of the data processing is not valid anymore, you can ask for the erasure of your data or the restriction of its processing. When data processing is restricted, your persona data is still stored with the company, but temporarily, it may not process them.
    • Objection: If you object to the processing of your data according to Article 21(1) GDPR, data controllers have the option to name reasons that might override your right to object. For as long as this verification is pending, you can demand the restriction of data processing.
  4. The company needs to respond without undue delay, at the latest within one month of receipt of your request. That’s why you can enter a deadline one month and three days (for shipping) after mailing the request.
  5. Please send the letter directly to the company in question (not to consumer protection organisations or authorities).