Get organizations to delete your account or send you a copy of your personal data.

Data protection laws protect individuals with regards to the processing of their personal data by organizations. They define the responsibilities organizations have when processing personal data, and grant individual certain rights with regards to their data.

Different countries have different regulations protecting individual privacy online. This website supports the following regulations:

• European Union - The General Data Protection Regulations (GDPR)

• California - Consumer Privacy Act (CCPA)

• Brazil - General Data Protection Law (LGPD)

The General Data Protection Regulations, or GDPR for short, is an EU regulation which protects the fundamental right of people to the protection of their personal data.

Read the regulation

The GDPR applies to:

• Organizations established within the EU who collect or process personal data (even of people located outside the EU)

• Organizations established outside the EU collecting or processing personal information while providing goods or services (paid or for free) to people located within the EU

• Organizations established outside the EU collecting or processing personal information while engaged in the monitoring of the behavior of people while they are in the EU

The GDPR does not apply to certain activities including law enforcement, national security, and purely for personal / household activities.

Find out more

The California Consumer Privacy Act, or CCPA for short, is a regulation introduced in California in January 2020. It protects the fundamental right of people to the protection of their personal data and privacy online.

Read the regulation

The CCPA applies to organizations that collect consumer's personal information, or on behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumer's personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

• Has annual gross revenues in excess of twenty-five million dollars ($25,000,000)

• Annually buys, receives, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices

• Derives 50 percent or more of its annual revenues from selling consumer's personal information

The LGPD (Lei Geral de Proteção de Dados Pessoais) is a Brazilian regulation establishing rules on collecting, handling, storing and sharing of personal data managed by organizations. It establishes the protection of fundamental rights of freedom and of the privacy of individuals as its principal goals.

Read the regulation

The LGPD applies to any individual or legal entity governed by public or private law, that processes personal data (such as collection, production, reception, classification, processing, etc.) in the Brazilian territory and outside the country, when:

• Personal data is collected in Brazil

• Data is related to an individuals located in the Brazilian territory, or

• Their goal is to offer products and/or services to individuals, Brazilian or foreign, in Brazil

The LGPD is not applicable in cases where the processing of personal data is made:

• By a natural person for exclusively private and non-commercial purposes.

• Exclusively for journalistic, artistic or academic purposes.

• By public authorities, in case of use for the promotion of public security, national defense, state security or activities of investigation and prosecution of criminal offenses.

• When the data origin isn't Brazilian territory and: a) isn't the object of any data processing in Brazil; c) isn't shared with Brazilian processing agents; d) isn’t shared with other countries which are not the country of origin, as long as the country of origin has a law or a regulation which provide a level of personal data protection equivalent to data protection offered by the LGPD.

Under the GDPR:

Any information relating to a person which can be directly or indirectly used to identify them. A person can be identified in a wide range of ways including name, identification number, location data or other online identifiers.

Find out more

Under the CCPA:

Personal information is anything that identifies, relates to, describes, or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Read the definition

Under the LDPG:

Any information relating to an identified or identifiable natural person such as name, ID-number, location data, email, etc.

Sensitive personal data is defined as a subcategory to personal data and applies when the data processed concerns to racial or ethnic origin, religious belief, political opinion, trade union or religious, philosophical or political organization membership, data concerning health or sex life, genetic or biometric data.

Under the GDPR:

The right to erasure is not absolute, and concerns data processing where consent is the legal basis for the processing. For example, data needed due to a contract, or data which is in the public interest does not fall under this definition. More specifically, the right only applies in the following circumstances:

• The organization no longer needs your data. Example: after you have cancelled your gym membership, it no longer needs to keep details of your name, address, age and health conditions.

• You initially consented to the use of your data, but have now withdrawn your consent. Example: you agreed to take part in a market-research study and now no longer wish to do so.

• You have objected to the use of your data, and your interests outweigh those of the organization using it.

• The organization has collected or used your data unlawfully. Example: it hasn't complied with the rules on data protection.

• The organization has a legal obligation to erase your data.

• The data was collected from you as a child for an online service. Example: social media or a gaming app. The law gives children special protection because they may be less aware of the risks and consequences of giving their data to organizations. Even if you are now an adult, you have a right to have your data erased if it was collected from you as a child.

Find out more

Under the CCPA:

Consumers can exercise the right to delete their personal data if:

• The personal information was collected by the business from the consumer.

• It is no longer necessary for the business or service provider to maintain the personal information in order to fulfill one of the purposes identified in by law (California civil code section 1798.105 (d)).

• The business is not entitled to retain the personal information under one of the general exemptions under the law (California civil code section 1798.145).

Under the LGPD:

The regulation requires organizations to delete the personal data of a natural person if it has been requested, since the data has been collected based on consent.

In case of data processing based on consent, the data subject may request the elimination of any data collected, except if the storage is permitted by the LGPD.

If an organization has shared the data with 3rd parties, it must communicate any deletion request with these 3rd parties so that the procedure can be repeated, except in cases where such communication is demonstrably impossible or involves disproportionate effort.

In addition, the LGPD states that data must be deleted if it was processed for reasons that are excessive, unnecessary, or unlawful.

There are certain circumstances where an organization is legally permitted to refuse to erase your data.

Under the GDPR:

• When keeping your data is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes).

• When the organization is legally obliged to keep hold of your data.

• When keeping hold of your data is necessary for reasons of public health.

• When keeping your data is necessary for establishing, exercising or defending legal claims.

• When erasing your data would prejudice scientific or historical research, or archiving that is in the public interest.

• If, having considered your request, the organization decides it does not need to erase your data, it must still respond to you. It should explain to you why it believes it does not have to erase your data, and let you know about your right to complain about this decision to the ICO, or through the courts.

The organization can also refuse your request if it is, as the law states, “manifestly unfounded or excessive”.

Find out more

Under the CCPA:

• Free speech or another right provided by law.

• Processing for research purposes, if the deletion of personal information would render impossible or seriously impair the achievement of such research.

• Processing of that personal information is necessary to protect against illegal activity or prosecute those responsible for the activity.

• For complying with a legal obligation.

• To perform a contract between the business and the consumer.

• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for that activity.

• Debug to identify and repair errors that impair existing intended functionality.

• To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business.

• Otherwise use the consumer's personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

Find out more

Under the LGPD:

The LGPD permits keeping data for the following purposes:

• Compliance with a statutory or regulatory obligation by the organization.

• Studies by a research body, guaranteeing, whenever possible, the anonymization of personal data.

• Transfer to third parties, upon compliance with the data processing requirements set forth in this law.

• Exclusive use of the organization of anonymized data, on the condition that access of the data by third parties is prohibited.

Under the GDPR:

faq.An organization has one month to comply with a request. The deadline can be extended to 2 additional months taking into account the complexity and number of requests. In any case, the organization must inform you of such extension within one month from the receipt of the request.

Under the CCPA:

The deadline to respond to a request is 45 days from the receipt of the consumer's request. The deadline can be extended an additional 45 days when reasonably necessary, if the consumer is informed within the first 45 days.

Under the LGPD:

The LGPD specifies a deadline with regards to the right to confirmation of existence of personal data, and the right of access to personal data:

• In simplified form, if the confirmation or access is provided immediately.

• By means of a clear and complete statement, indicating the origin of the data, nonexistence of records, criteria used and purpose of the processing, as the case may be, within 15 (fifteen) days counted from the date of the request.

When submitting a data request via this website, turn on the “Smart Follow-up Assistance” option to get personalized advice on what to do in case an organization has not complied with your request.

If you are unhappy with how the organization has handled your request, you should first send the organization a reminder email explaining your dissatisfaction. If after sending the organization a reminder you are still dissatisfied, you can complain to the Data Protection Agency, a governmental regulatory body. Some regulations provide individuals with a private right of action - the ability to sue an organization in court. If you decide to do this, we strongly advise you to seek independent legal advice first.

Under the GDPR:

You can make a complaint to the local Data Protection Authorities (DPA). You can also seek to enforce your rights through the courts. You can download a list of DPAs here (PDF).

Under the CCPA:

You can make a complaint to the California Attorney General. You can also seek to enforce your rights through the courts.

Under the LGPD:

You can make a complaint to the ANPD. You can also seek to enforce your rights through the courts.

Under the GDPR:

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or 20 Million Euro.

Find out more

Under the CCPA:

The penalty for an intentional violation of the CCPA is $7,500 per incident, and for an unintentional violation $2,500 per incident. Consumers are entitled to between $100-$750 in compensation per incident or actual damages, whichever is greater, if a company did not take reasonable security measures in the event of a breach of sensitive personal information.

Find out more

Under the LGPD:

The administrative sanctions applicable range are:

• Warning.

• By means of a clear and complete statement, indicating the origin of the data, nonexistence of records, criteria used and purpose of the processing, as the case may be, within fifteen days counted from the date of the request.

• Fine that could reach 2% of the group's revenues in Brazil, limited to BRL$ 50 million per violation.

• Daily fine.

• Daily fine.

• Blocking of the personal data to which the infraction refers until its regularization.

• Deletion of the personal data to which the infringement refers.

• Partial suspension of the operation of the database to which the infraction refers for a maximum period of 6 (six) months, extendable for an equal period, until the processing activity is regularized by the organization.

• Partial or total ban on the exercise of activities related to data processing.

The sanctions may be applied cumulatively, by day and violation, but always based on the seriousness and extent of the violation.

Under the GDPR:

The Data Protection Office (DPO), although the legislation states that organizations should train staff to recognize GDPR requests no matter who they reach or in which format.

Under the CCPA:

The CCPA does not define who specifically within an organization is responsible for this.

Under the LGPD:

The Data Protection Officer (DPO). However, small data processing agents such as micro-companies, startups, and legal entities of private law, are not required to appoint the personal data controller, but must provide a communication channel with consumers.

To fix this issue you will need to configure a default email client on your system. Here are instructions on how to do this on Mac and Windows.