If you’ve ever tried to get a copy of the personal data a company holds about you, you know it can feel like navigating a maze. The GDPR gives you a clear right to ask, but many people struggle with how to phrase that request in writing. This guide walks you through what a GDPR request letter looks like, when to use it, and how to tailor one for your own situation, with ready‑to‑use samples you can copy and edit.
What a GDPR Request Letter Actually Does
A GDPR request letter is a formal written request that tells a data controller you want to see the personal information they have about you. Under Article 15 of the GDPR, you are entitled to receive:
- A copy of your personal data.
- Information about how the data is being processed.
- Details on whether the data will be shared with third parties.
- Confirmation of how long the data will be kept.
The letter also creates a paper trail that shows you exercised your right, which is useful if the company later claims they never received a request.
When You Should Send a GDPR Request Letter
Most people send one of these letters when they want to:
- Check what data an online service stores about them.
- Verify that a business is complying with the GDPR’s storage limits.
- Prepare for a data portability move to another provider.
- Respond to a data breach notification and ask for specifics of what was exposed.
If you’re dealing with a breach or a company that hasn’t responded to informal emails, a written request can also trigger the one‑month response deadline set by the regulation. In some cases, you may also need to send a separate collection notice sample if a business has publicly disclosed a breach and you want a formal acknowledgment of the incident.
Key Parts of a GDPR Request Letter
Think of the letter as a short, polite business note with a clear purpose. The essential sections are:
- Header – Your name, address, email, and phone number so the controller can reply.
- Recipient details – The name of the company, attention to the Data Protection Officer (if known), and the address.
- Date – Helps prove the request was made within the legal timeframe.
- Subject line – A brief line that references “GDPR Data Access Request” so it’s easy to spot.
- Body – One or two short paragraphs stating you are exercising your right of access, citing Article 15.
- Signature – Your handwritten signature (if mailed) or typed name with a statement that you are the data subject.
If the request touches on confidential information, you might also want to reference a confidentiality agreement template for language that protects the information you share.
Step‑by‑Step Guide to Writing Your Letter
- Gather your contact info – Include enough details for the controller to verify your identity.
- Find the right recipient – Look for a “Data Protection Officer” or “Privacy Contact” on the company’s website.
- Write a concise subject line – Example: Subject: GDPR Data Access Request – John Smith
- Open with a clear statement – “I am writing to exercise my right of access under Article 15 of the GDPR.”
- Specify what you want – Ask for a copy of all personal data, and mention any particular categories (e.g., purchase history, login logs) if relevant.
- Set a deadline – Politely remind the controller that the GDPR requires a response within one month.
- Close politely – Thank the recipient and provide a phone number or email for follow‑up.
The structure mirrors the format used in many formal letters, similar to the layout in our sick leave letter template where clarity and a short deadline are also important.
Ready‑to‑Use GDPR Request Letter Samples
Below are two versions you can adapt. Replace the placeholders in square brackets with your own details.
Simple consumer request
From: [Your Name]
Address: [Your Street, City, Postal Code]
Email: [your.email@example.com]
Phone: [Your Phone Number]
To: [Company Name]
Data Protection Officer
Address: [Company Street, City, Postal Code]
Date: [Day Month Year]
Subject: GDPR Data Access Request – [Your Name]
Dear Data Protection Officer,
I am writing to exercise my right of access under Article 15 of the General Data Protection Regulation. Please provide me with a copy of all personal data you hold about me, including any records of purchases, account details, and communication logs.
If any of this information is stored in a format that is not easily readable, I ask that you provide it in a commonly used electronic format. I also request information on whether my data has been shared with third parties, and if so, a list of those parties.
Under the GDPR, you must respond within one month of receiving this request. If you need to verify my identity, I am happy to provide additional documentation.
Thank you for your prompt attention.
Sincerely,
[Your handwritten signature]
[Your Typed Name]
Request for a specific data set (e.g., login history)
From: [Your Name]
Address: [Your Street, City, Postal Code]
Email: [your.email@example.com]
To: [Company Name]
Attention: [Name of Data Protection Officer or Privacy Team]
Address: [Company Street, City, Postal Code]
Date: [Day Month Year]
Subject: GDPR Request for Specific Data – Login History – [Your Name]
Dear [Recipient Name],
Pursuant to Article 15 of the GDPR, I request access to the following personal data you process about me:
- All login records for my account (username: [your username]) from [start date] to [end date].
- Any IP addresses associated with those logins.
- Details of any security alerts generated by my account.
Please provide this information in a structured, commonly used electronic format (e.g., CSV or JSON). If you are unable to fulfill any part of this request, please explain the reasons and any limitations under the GDPR.
I look forward to your response within the statutory one‑month period.
Kind regards,
[Your handwritten
Common Document Templates & Previews
