GDPR Request Template

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union (EU). A GDPR request, often referred to as a Data Subject Access Request (DSAR), allows you to ask organizations whether they process your personal data, and if so, request access to that data, among other rights. Learn more.

Dear Data Protection Officer,

I am writing to you to exercise my rights under the General Data Protection Regulation (GDPR).

As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or, if not possible, the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing of my personal data, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for me.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond to such requests within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organization.

2. Follow up until you hear back. The GDPR requires that they respond within one month.

3. Did not get a response? Consider lodging a complaint with your local data protection authority.