DEV Community

wendygostudio
wendygostudio

Posted on • Originally published at wendygostudio.com

How to Actually Exercise Your GDPR Rights: A Practical Guide

If you're an EU resident, you have six legally enforceable rights over your personal data. Most people don't know this—and even fewer know how to use them. This guide breaks down each right and shows you how to claim them starting today.

Your 6 GDPR Rights (Explained Simply)

  1. Right to Access — Get a copy of all the data a company holds on you (free, within 30 days)
  2. Right to Rectification — Fix inaccurate or incomplete information companies have about you
  3. Right to Erasure — Request deletion of your data ("right to be forgotten")
  4. Right to Data Portability — Receive your data in machine-readable format and move it elsewhere
  5. Right to Restrict Processing — Tell a company to stop using your data while you resolve a dispute
  6. Right to Object — Opt out of marketing and profiling—no explanation needed

How to Delete Your Data (The Most Common Request)

The right to erasure is what most people actually use. Here's how:

1. Find the Data Protection Officer
Look in the company's privacy policy or cookie notice for their DPO email. If it's not there, use their legal or privacy contact.

2. Write Your Request
Keep it simple. Include your name, email on file, what data you want deleted, and mention GDPR Article 17. You don't need to justify—just ask.

3. Send It and Keep Records
Email it directly to them. Screenshot or save the send time. The company has 30 days to respond.

4. If They Ignore You, Escalate
After 30 days with silence? File a complaint with your national Data Protection Authority (AEPD in Spain, ICO in the UK, CNIL in France, BfDI in Germany, etc.).

The Important Catch

Deleting your account ≠ deleting your data. Many apps will deactivate your profile but keep your data forever. You have to submit an explicit erasure request to trigger actual deletion.

FAQ

Can they refuse? Yes, but only for legal reasons (legal obligations, defending legal claims, public interest). They must explain in writing.

How long do I have to wait? 30 days standard. They can extend to 60 days but must tell you within the first 30.

Does GDPR apply to US companies? Yes. If you're an EU resident and they process your data, GDPR applies—no matter where they're based.

Erasure vs. Portability? Erasure = delete it. Portability = get a copy to move elsewhere. You can do both.


📖 Read the full guide with more details on wendygostudio.com

Top comments (1)

Collapse
 
custralis profile image
Custralis

Useful from the requester side — the mirror image for developers building the DSAR endpoint is where it gets hard: you must verify the requester's identity without collecting more data than you already hold, honour the 30-day clock, and export data scattered across logs, backups and third-party processors, not just the primary DB. Backups are the usual blind spot: you can't always surgically delete from an immutable snapshot, so the defensible answer is a documented retention window after which the backup expires. A data-map built before the first request lands saves you every time.