Send the request
Use a verified controller channel and keep a copy of the message and recipient address.
What Article 17 addresses
Article 17 of Regulation (EU) 2016/679 is commonly called the “right to erasure” or “right to be forgotten.” It gives a data subject a way to ask a controller to erase personal data where one of the legal grounds applies. It is not an automatic delete button and it does not override every retention duty.
Data subjectThe person whose personal data is involved.
ControllerThe organisation deciding why and how the data is processed.
ErasureDeletion or removal from active processing, subject to legal context.
When an erasure request may have a basis
The exact legal assessment depends on the controller, the data, the processing purpose, and national practice. In everyday workflows, requests often reference one or more of these Article 17 themes:
No longer necessaryThe data is no longer needed for the purpose for which it was collected.
Consent withdrawnThe processing was based on consent and no other legal basis applies.
ObjectionYou object to processing and there are no overriding legitimate grounds.
Unlawful processingThe personal data was processed unlawfully.
Legal erasure dutyEU or Member State law requires erasure.
Children’s services contextSpecial rules may apply for information society services offered to children.
Why a controller may not erase everything
A controller may have lawful reasons to refuse, delay, narrow, or document erasure instead of deleting every record immediately. Typical examples include legal obligations, establishment or defence of legal claims, public-interest archiving, research/statistics safeguards, or freedom of expression and information.
A refusal should generally explain the reason and available remedies. If the answer is unclear, you can ask for clarification, request restriction where appropriate, or contact a supervisory authority.
What a strong request usually contains
Keep the request factual, specific, and reviewable. Do not include unnecessary sensitive data. Use the controller’s published privacy contact, DPO contact, support form, or verified channel where available.
- Your name and the email/account identifier the controller can match.
- A clear statement that you request erasure under GDPR Article 17.
- The account, service, or personal data category you want addressed.
- A request for confirmation or a reasoned explanation if erasure is limited.
Subject: GDPR Article 17 erasure request
Hello, I am requesting erasure of personal data associated with this email address/account under Article 17 GDPR, where applicable. Please confirm completion or explain any legal basis for retaining specific data.
Please also inform me if you need proportionate identity verification to process this request.
Example wording only. Adapt it to your facts and review it before sending.
A practical response timeline
GDPR response timing is often discussed around one month, with possible extensions in defined circumstances. Exact counting, pauses for identity verification, and remedies can depend on context and national practice.
Record acknowledgement
Save confirmation, ticket IDs, automated replies, or identity-verification instructions.
Review the answer
Check whether erasure was confirmed, limited, refused, or redirected to another controller.
Follow up carefully
Ask for clarification where needed, then consider supervisory authority options if the response remains unresolved.
Software support, not a legal outcome guarantee
spectre helps users find likely account traces in supported mailbox signals, draft Article 17-oriented requests, review text before sending, and keep workflow records. It does not delete data from third-party systems, force controllers to comply, provide legal advice, or replace a statutory Data Protection Officer.