Submit a GDPR deletion request¶
Under GDPR Article 17, anyone has the right to ask a data controller to delete the personal data it holds about them. This is sometimes called the “right to be forgotten”. It is a legal right, not a polite request, and controllers are obliged to respond within one month.
It does not cover everything. Data held for legal obligations, public interest, or ongoing contractual necessity may be exempt. For data held for marketing, profiling, or a service no longer used, it applies clearly.
Who can submit¶
EU residents under GDPR, and UK residents under UK GDPR (the retained version after Brexit). Non-EU users of services operating in the EU may also have rights, depending on the service’s data processing arrangements.
Before submitting¶
Find the organisation’s privacy contact; controllers are required to provide one. Look for:
A “Data Protection Officer” or “DPO” email, often in the privacy policy.
A privacy request form, sometimes linked at the foot of the privacy policy.
Failing both, for a small service, the general contact address.
Gather the account details the controller needs to verify identity before acting: the registered email address, account username, and any identifiers the service uses.
Write the request¶
A deletion request need not be formal, only clear. Include:
Full name and contact details.
Account information sufficient to identify the account in their system.
A clear statement that this exercises the right to erasure under GDPR Article 17.
What is to be deleted: all of it, or specific categories.
A request for written confirmation of deletion.
Keep a copy of what was sent, and when.
After sending¶
The controller has one calendar month to respond. A complex request may be extended by two further months, but the controller has to give notice within the first month.
A refusal has to come with an explanation. Common legitimate grounds are that the data is needed to fulfil a current contract, or to meet a legal obligation.
No response, or refusal without good reason¶
Escalate to the relevant national data protection authority:
UK: the Information Commissioner’s Office (ico.org.uk), which takes complaints online.
Germany: the Bundesdatenschutzbeauftragter or the relevant state authority.
France: the CNIL.
Ireland: the Data Protection Commission, which handles many tech companies registered there.
Include the original request, the date sent, and any response received.
Practical shortcuts¶
JustDeleteMe keeps direct links to account-deletion pages for hundreds of services, faster than hunting through settings, and rates how hard deletion is. Anything rated “hard” or “impossible” is worth a formal GDPR request.
Last reviewed: 2026-07-08.