Submit a GDPR deletion request

Under GDPR Article 17, you have the right to request that a data controller delete personal data it holds about you. This is sometimes called the “right to be forgotten.” It is a legal right, not a polite request. Controllers must respond within one month.

It does not apply to everything. Data held for legal obligations, public interest, or ongoing contractual necessity may be exempt. But for data held for marketing, profiling, or services you no longer use, it applies clearly.

Who can submit

EU residents under GDPR. UK residents under UK GDPR (the retained version post-Brexit). Non-EU users of services operating in the EU may also have rights depending on the service’s data processing agreements.

Before you submit

Find the organisation’s privacy contact. Controllers are required to provide one. Look for:

  • A “Data Protection Officer” or “DPO” email, often listed in the privacy policy.

  • A privacy request form, sometimes linked at the bottom of the privacy policy.

  • If the service is small and has neither: email the general contact with the request.

Collect account information: your registered email address, account username, and any identifiers the service uses. The controller needs to verify your identity before acting.

Write the request

A deletion request does not need to be formal. It needs to be clear. Include:

  1. Your full name and contact details.

  2. Account information sufficient to identify you in their system.

  3. A clear statement that you are exercising your right to erasure under GDPR Article 17.

  4. What data you want deleted (all of it, or specific categories).

  5. A request for written confirmation of deletion.

Keep a copy of what you sent and when.

After sending

The controller has one calendar month to respond. If they need more time for a complex request, they may extend by two further months but must tell you within the first month.

If they refuse, they must explain why. Common legitimate grounds: the data is needed to fulfil a contract you are still party to, or to comply with a legal obligation.

If there is no response or you are refused without good reason

Escalate to the relevant national data protection authority:

  • UK: Information Commissioner’s Office (ico.org.uk), make a complaint online.

  • Germany: Bundesdatenschutzbeauftragter or the relevant state authority.

  • France: CNIL.

  • Ireland: Data Protection Commission (for EU HQ services, as many tech companies are registered in Ireland).

Include your original request, the date sent, and any response received.

Practical shortcuts

The site JustDeleteMe maintains direct links to account deletion pages for hundreds of services, which is faster than hunting through settings menus. It also rates how difficult deletion is. Anything rated “hard” or “impossible” is worth a formal GDPR request.