Your GDPR Rights Explained: How to Request, Delete and Control Your Personal Data

The General Data Protection Regulation (GDPR) is the world’s most comprehensive data privacy law, and in 2026 it continues to shape how organizations collect, process, and store personal data — not just in Europe, but globally. If you are a resident of the European Economic Area (EEA), or if you interact with companies that operate within it, the GDPR gives you powerful legal rights over your personal data. Yet surveys consistently show that most people are unaware of these rights or find them too complex to exercise effectively.

This guide demystifies your GDPR rights in plain language, explains exactly how to exercise each one, and provides template language for common requests. Even if you are not in Europe, many of these rights have equivalents in laws like California’s CPRA, the UK GDPR, Brazil’s LGPD, and similar regulations worldwide — making this knowledge globally relevant.

Who Does GDPR Apply To?

GDPR applies to any organization — regardless of where it is headquartered — that processes personal data of individuals in the European Economic Area. This means that a US company with European customers, a Chinese app used by German citizens, or a UK business serving EEA clients post-Brexit (the UK has its own UK GDPR equivalent) must all comply with GDPR’s requirements. Personal data is broadly defined: it is any information that relates to an identified or identifiable natural person. This includes your name, email address, IP address, location data, cookie identifiers, health information, and even inferred attributes derived from your behavior.

In practice, GDPR affects virtually every major website, app, and online service used in Europe, and by extension their global operations. Understanding your rights under GDPR means you have the ability to demand information and accountability from organizations ranging from your local doctor’s surgery to Google, Facebook, and Amazon.

The Eight Key Rights Under GDPR

1. The Right to Be Informed

You have the right to be informed about how your personal data is being collected and used. Organizations must provide this information proactively, typically through a privacy policy, at the point of data collection. The information must be provided in clear, plain language — not buried in incomprehensible legal jargon — and must include: who is collecting the data (the data controller), what data is being collected, why it is being processed, the legal basis for processing, how long it will be retained, whether it will be shared with third parties, and your rights as a data subject. If a company’s privacy notice is unclear, overly technical, or hard to find, this itself may constitute a GDPR violation.

2. The Right of Access (Subject Access Request)

Article 15 of the GDPR gives you the right to obtain confirmation of whether an organization processes your personal data and, if so, to receive a copy of that data along with supplementary information about how it is used. This is exercised through a Subject Access Request (SAR). When you submit a SAR, the organization must respond within one month (extendable by two additional months for complex requests) and provide, free of charge, a copy of all personal data it holds about you, the purposes of processing, the categories of data, the recipients or categories of recipient the data is shared with, the intended retention period, and information about your other GDPR rights.

SARs can be enormously revealing. A SAR submitted to a major social media platform might return hundreds of pages of data: every post you have liked, every ad you have been shown and whether you clicked it, every person who viewed your profile, your inferred interests, your IP address history, your message content, and your account activity log going back years. Filing SARs is one of the most powerful ways to understand exactly what data companies hold about you.

3. The Right to Rectification

Article 16 gives you the right to request that inaccurate personal data be corrected without undue delay. If a company holds incorrect information about you — a misspelled name, a wrong address, an incorrect date of birth, or an inaccurate negative assessment — you can require them to fix it. You can also request that incomplete personal data be completed, including by providing a supplementary statement. Organizations must respond within one month and must inform any third parties to whom the data has been disclosed of the rectification.

4. The Right to Erasure (Right to Be Forgotten)

The right to erasure under Article 17 — popularly known as the “right to be forgotten” — allows you to request the deletion of your personal data in specific circumstances. These circumstances include: the data is no longer necessary for the purpose it was collected; you withdraw the consent on which processing was based; you object to the processing and there are no overriding legitimate grounds to continue; the data was unlawfully processed; or the data must be erased to comply with a legal obligation. The right to erasure is not absolute — organizations can refuse if processing is necessary for exercising freedom of expression, complying with a legal obligation, public interest tasks, or the establishment, exercise, or defence of legal claims. But for marketing data, social media profiles, and any data processed primarily on the basis of your consent, erasure requests are highly effective.

5. The Right to Restrict Processing

Article 18 gives you the right to request that an organization restrict (pause) the processing of your personal data in certain circumstances, even if you are not requesting full deletion. Restriction applies when: you contest the accuracy of your data (restricting processing while accuracy is verified); processing is unlawful but you prefer restriction to erasure; the organization no longer needs the data but you need it retained for a legal claim; or you have objected to processing and verification of grounds is pending. While processing is restricted, the organization may only store the data — not use it — unless they have your consent or specific legal grounds.

6. The Right to Data Portability

Article 20 gives you the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit it to another controller. This right applies to data you have provided to the organization and that is processed by automated means based on consent or contract. In practice, data portability is most relevant when switching service providers — for example, requesting your data from one email provider to migrate to another, or exporting your health records from one medical system to another. Google Takeout and Facebook’s “Download Your Information” tool are practical implementations of data portability.

7. The Right to Object

Article 21 gives you the right to object to the processing of your personal data in certain circumstances. You have an unconditional right to object to processing for direct marketing purposes — organizations must stop processing your data for this purpose immediately with no exceptions. You also have the right to object to processing based on legitimate interests or public interest tasks, though the organization can override your objection if they can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

8. Rights Related to Automated Decision-Making and Profiling

Article 22 gives you the right not to be subject to decisions made solely by automated processing — including profiling — where those decisions have a significant effect on you. This includes automated decisions about loan applications, job applicant screening, insurance pricing, and similar high-stakes decisions. When automated decision-making is used, you have the right to request human review of the decision, to express your point of view, and to contest the decision. Organizations that rely on automated decision-making must disclose this in their privacy notices and provide meaningful information about the logic involved.

How to Submit a GDPR Data Request: Step-by-Step

Exercising your GDPR rights is straightforward. Most organizations now have a dedicated privacy or data rights portal, accessible from their website’s privacy policy page. If not, identify the organization’s Data Protection Officer (DPO) — large organizations are required to appoint one — or their general privacy team email address.

Your request should: clearly identify yourself (name and email address associated with your account), specify which right you are exercising (access, erasure, rectification, etc.), provide enough information for them to locate your data, and specify the data or processing activities you are concerned about if relevant. You do not need to provide extensive justification — for a SAR or erasure request, a simple statement of your request is sufficient. Keep a copy of your request and note the date sent — this starts the one-month response clock.

Template Language for Common GDPR Requests

Subject Access Request: “Under Article 15 of the GDPR, I am requesting a copy of all personal data you hold about me, along with information about how it is processed, its source, and any third parties it has been shared with. My account is registered under [email address]. Please respond within the statutory one-month period.”

Right to Erasure: “Under Article 17 of the GDPR, I am requesting the erasure of all personal data you hold about me. I am exercising this right on the grounds that [the data is no longer necessary for the purpose it was collected / I am withdrawing consent / the data was unlawfully processed]. Please confirm erasure within one month.”

What to Do When Organizations Don’t Comply

If an organization fails to respond within one month, provides an inadequate response, or refuses your request without legitimate grounds, you have several options. First, follow up directly and note that you will escalate to the supervisory authority if they do not comply. If this does not resolve the issue, file a complaint with the relevant data protection authority: in Ireland, this is the Data Protection Commission (DPC); in Germany, the Landesdatenschutzbehörde; in France, the CNIL; in the UK, the ICO. Supervisory authorities have the power to investigate complaints, issue fines of up to €20 million or 4% of global annual turnover (whichever is higher), and order organizations to comply with data subject rights. Filing a complaint is free and can be done through each authority’s online portal.

GDPR in 2026: Enforcement Trends

GDPR enforcement has strengthened significantly since the regulation came into force in 2018. In 2026, cumulative GDPR fines exceed €4 billion, with major penalties issued against Meta, Google, Amazon, and TikTok. The Irish DPC (which supervises most major US tech companies due to their European headquarters in Ireland) has increased its enforcement pace following pressure from other EU member states. Cookie consent violations, unauthorized data transfers outside the EEA, and inadequate privacy notices remain the most frequently cited violations. For individuals, this enforcement environment means that GDPR complaints are increasingly taken seriously and organizations face real consequences for non-compliance.

Conclusion

Your GDPR rights give you meaningful leverage over organizations that process your personal data. From requesting comprehensive copies of everything held about you, to demanding deletion of data no longer needed, to objecting to automated profiling that affects your financial or professional life — these rights are practical tools, not legal abstractions. The key is knowing they exist and being willing to exercise them. In 2026, with data breaches, algorithmic discrimination, and surveillance capitalism more prevalent than ever, actively managing your personal data rights is an essential component of living a private and secure digital life.