Personal data sits in dozens of places without most people ever seeing it. Online shops, banks, employers, mobile apps, schools, and social media platforms all collect bits and pieces over time.
Sometimes a simple question pops up. What exactly does that company know? The answer is often much bigger than expected.
The GDPR gives people in many situations the right to ask organizations for a copy of their personal data. A well-written request can save time and help the process move along smoothly.

Sample Letters of GDPR Data Access Request
The samples below cover several common situations. Pick the one that best matches the reason for the request, then adjust any details to fit the specific organization.
1. General GDPR Data Access Request
Subject: GDPR Data Access Request
Dear Data Protection Officer,
I am writing to request access to the personal data your organization holds about me under Article 15 of the General Data Protection Regulation (GDPR).
Please provide a copy of all personal data relating to me that is currently being processed. I would also appreciate information about:
- The purposes for processing my data.
- The categories of personal data you hold.
- Any third parties with whom my data has been shared.
- The expected retention period for my personal data.
- The source of the data if it was not collected directly from me.
- Any automated decision-making or profiling involving my information.
My details are as follows:
Full Name: Sarah Mitchell
Email Address: sarah.mitchell@email.com
Customer Number: 847291
If you require additional information to verify my identity, please let me know.
I look forward to your response within the time period required by the GDPR.
Kind regards,
Sarah Mitchell
2. Data Access Request to an Online Retailer
Subject: Request for Access to Personal Data
Dear Customer Privacy Team,
Under Article 15 of the GDPR, I would like to request a copy of all personal information your company holds about me.
Please include information related to my customer account, purchase history, payment records where legally permissible, delivery addresses, customer support communications, product reviews, marketing preferences, and any profiling used for product recommendations.
My account details are listed below.
Name: David Thompson
Email: david.thompson@email.com
If identity verification is required before processing this request, please advise me of the necessary steps.
Thank you for your assistance. I look forward to receiving your response within the applicable GDPR deadline.
Sincerely,
David Thompson
3. Employee GDPR Data Access Request
Subject: Employee Personal Data Access Request
Dear Human Resources Manager,
I am writing to request access to the personal data your organization holds about me under Article 15 of the General Data Protection Regulation (GDPR).
Please provide a copy of all personal information relating to my employment, including records maintained by Human Resources and any other department that processes my data where appropriate.
If available, I would appreciate copies of the following:
- My employment records.
- Payroll information.
- Attendance records.
- Performance reviews.
- Training records.
- Internal correspondence that contains my personal data where disclosure is permitted.
- Information about any third parties who have received my personal data.
- The purposes for which my personal data is processed.
- The planned retention period for these records.
My details are as follows.
Employee Name: Michael Carter
Employee ID: EC-28471
Department: Finance
If further identification is needed before processing this request, please let me know.
Thank you for your time. I look forward to receiving your response within the timeframe required under the GDPR.
Yours sincerely,
Michael Carter
4. GDPR Data Access Request to a Healthcare Provider
Subject: Request for Access to Personal Data Under GDPR
Dear Data Protection Officer,
I wish to request access to the personal data your healthcare organization holds about me under Article 15 of the General Data Protection Regulation.
Please provide copies of my personal information, including medical records, appointment history, referral information, correspondence relating to my care, billing records where applicable, and any other personal data maintained in your systems.
Please also provide details of:
- The purpose for processing my personal data.
- The categories of information you hold.
- Any organizations or healthcare professionals with whom my information has been shared.
- The expected retention period for my records.
My details are listed below.
Patient Name: Emma Richardson
Date of Birth: 18 April 1992
Should you require proof of identity before releasing this information, I will be happy to provide it.
Thank you for your assistance. I look forward to your response within the statutory period.
Kind regards,
Emma Richardson
5. GDPR Data Access Request to a Bank
Subject: GDPR Subject Access Request
Dear Privacy Office,
I am exercising my right under Article 15 of the General Data Protection Regulation to obtain access to the personal data your bank holds about me.
Please provide copies of all personal information associated with my banking relationship, including account information, customer correspondence, records of communications, loan applications where applicable, identity verification records, marketing preferences, and any internal notes containing my personal data where disclosure is permitted by law.
Please also include information regarding:
- The purposes for processing my personal data.
- Categories of personal information held.
- Third parties that have received my personal data.
- The anticipated retention period for my records.
- Any automated decision-making processes involving my information.
My account details are as follows.
Full Name: Daniel Foster
Customer Number: 56290184
If you require additional documentation to verify my identity, please let me know.
Thank you for your attention to this request. I look forward to your response within the period required under the GDPR.
Yours faithfully,
Daniel Foster
6. GDPR Data Access Request to a Social Media Platform
Subject: Request for Access to My Personal Data
Dear Privacy Team,
I am submitting this request under Article 15 of the General Data Protection Regulation (GDPR) to obtain access to the personal data your platform holds about me.
Please provide a copy of all personal data associated with my account. This should include, where available, my profile information, uploaded content, messages that can legally be disclosed, account activity logs, advertising preferences, location history, device information, search history, and records of interactions with your services.
I would also appreciate information regarding:
- The purposes for processing my personal data.
- The categories of personal data you maintain.
- Any recipients or categories of recipients who have received my data.
- The expected retention period for my information.
- Whether automated decision-making or profiling has been applied to my account.
My account details are as follows.
Name: Jennifer Adams
Email Address: jennifer.adams@email.com
Username: @JenniferA
If identity verification is necessary, please let me know what documents are required.
Thank you for your assistance. I look forward to your response within the timeframe required by the GDPR.
Yours sincerely,
Jennifer Adams
7. GDPR Data Access Request to a University
Subject: Request for Access to Personal Data Under GDPR
Dear Data Protection Officer,
I am writing to request access to all personal data your university holds about me under Article 15 of the General Data Protection Regulation.
Please provide copies of my student records, admissions documents, academic transcripts, examination records, disciplinary records where applicable, financial records, accommodation records if relevant, and correspondence containing my personal data.
Please also include information about:
- The reasons my personal data is processed.
- The categories of personal information held.
- Any external organizations that have received my personal data.
- The retention period for my records.
- The source of any personal data that was not collected directly from me.
My details are as follows.
Student Name: Olivia Bennett
Student Number: S20218473
If further identification is required before processing this request, please let me know.
Thank you for your attention. I look forward to receiving your response within the period required under the GDPR.
Kind regards,
Olivia Bennett
8. GDPR Data Access Request Following Account Closure
Subject: Personal Data Access Request After Account Closure
Dear Privacy Team,
Although I have closed my account with your organization, I am exercising my right under Article 15 of the General Data Protection Regulation to request access to any personal data you continue to hold about me.
Please provide a copy of all remaining personal information associated with my previous account. I would also appreciate details of the reasons the information is still being retained, the expected retention period, any third parties that have received my data, and any legal basis relied upon for continued processing.
My previous account details are listed below.
Name: Robert Lewis
Registered Email: robert.lewis@email.com
Former Customer ID: 903118
If you need additional information to confirm my identity, please let me know.
Thank you for your assistance. I look forward to your response within the statutory deadline.
Yours faithfully,
Robert Lewis
9. GDPR Data Access Request Through an Authorized Representative
Subject: GDPR Data Access Request Submitted by an Authorized Representative
Dear Data Protection Officer,
I am writing on behalf of Emily Harris, who has authorized me to act for her in relation to this request under Article 15 of the General Data Protection Regulation (GDPR). A signed authorization letter is enclosed with this request.
Please provide a copy of all personal data your organization holds concerning Emily Harris, together with the information required under Article 15 of the GDPR.
Specifically, please include:
- The purposes for processing her personal data.
- The categories of personal data held.
- The recipients or categories of recipients who have received the data.
- The expected retention period for the data.
- The source of the data where it was not collected directly from her.
- Details of any automated decision-making or profiling, where applicable.
The individual’s details are as follows.
Name: Emily Harris
Date of Birth: 22 September 1988
Registered Email: emily.harris@email.com
If further documentation is required to verify either my authority or Emily Harris’s identity, please let me know at your earliest convenience.
Thank you for your cooperation. I look forward to your response within the period required by the GDPR.
Yours faithfully,
Jonathan Harris
Authorized Representative
10. GDPR Data Access Request After Suspected Data Breach
Subject: Request for Access to Personal Data Following a Suspected Data Breach
Dear Data Protection Officer,
I am writing to request access to all personal data your organization holds about me under Article 15 of the General Data Protection Regulation.
This request follows notification of a suspected data security incident involving your organization. I would like to understand exactly what personal information relating to me is currently held and processed.
Please provide copies of my personal data together with the following information:
- The categories of personal data held.
- The purposes for processing that data.
- The recipients or categories of recipients who have received my personal information.
- Any records showing whether my personal data was involved in the reported security incident, where disclosure is legally permitted.
- The expected retention period for my personal data.
- Any steps your organization has taken to protect my information following the incident.
My details are listed below.
Name: Christopher Walker
Customer Number: 6172549
Email Address: christopher.walker@email.com
If proof of identity is required before processing this request, please let me know what documentation you need.
Thank you for your prompt attention to this matter. I look forward to receiving your response within the timeframe required by the GDPR.
Yours sincerely,
Christopher Walker
Wrapping Up
A GDPR data access request does not have to be long or packed with legal language to be effective. A clear, polite letter that identifies the requester and explains what information is being requested will usually give an organization everything it needs to begin processing the request. Including details such as an account number, employee ID, or registered email address can also help the organization locate the correct records more quickly.
Each sample above serves a different purpose, from a simple request to one involving a former employee, a healthcare provider, or a suspected data breach. Pick the version that best fits the situation, make any necessary changes, and send it with any identification the organization reasonably requests. A few minutes spent choosing the right letter can make the whole process much smoother.