GDPR and Your Email Address: Your Rights

The General Data Protection Regulation gives EU residents powerful rights over their personal data, including their email address. Most people do not exercise these rights because they do not know they exist. Here is what you can actually demand from any company that has your email.

Your Email Address Is Personal Data

Under GDPR, your email address is classified as personal data — information that can identify you directly or indirectly. This means every company that collects, stores, or processes your email address must comply with GDPR's strict requirements, regardless of whether they are based in the EU. If they process the data of EU residents, GDPR applies.

This classification has far-reaching implications. That newsletter you signed up for, the online store where you made one purchase, the app you tried for a week — they all hold your personal data and must comply with specific rules about how they handle it.

Your Core Rights Under GDPR

GDPR grants you seven fundamental rights regarding your personal data:

  • Right of access (Article 15): You can request a copy of all personal data a company holds about you, including your email address, any profiles built from it, and who they have shared it with. They must respond within 30 days.
  • Right to rectification (Article 16): You can demand correction of inaccurate data.
  • Right to erasure — "right to be forgotten" (Article 17): You can demand that a company delete all your personal data, including your email address, if they no longer need it for the original purpose or if you withdraw consent.
  • Right to restrict processing (Article 18): You can demand that a company stop using your data while a dispute is being resolved.
  • Right to data portability (Article 20): You can request your data in a machine-readable format and have it transferred to another service.
  • Right to object (Article 21): You can object to your data being used for direct marketing at any time, with no exceptions. The company must stop immediately.
  • Right not to be subject to automated decision-making (Article 22): You can challenge decisions made purely by algorithms based on your data.

How to Exercise These Rights in Practice

Exercising your GDPR rights is straightforward but requires persistence. Start by sending an email to the company's Data Protection Officer (DPO) or privacy team — their contact information should be in the privacy policy. Clearly state which right you are exercising and be specific about what you want.

For a data access request, write something like: "Under Article 15 of GDPR, I request a copy of all personal data you hold about me, associated with the email address [your email]. Please also provide information about the purposes of processing, the categories of data, and any third parties with whom my data has been shared."

For a deletion request: "Under Article 17 of GDPR, I request the deletion of all personal data associated with [your email], including but not limited to account data, marketing profiles, analytics data, and any backups. Please confirm deletion within 30 days."

If a company does not respond within 30 days or refuses your request without valid justification, you can file a complaint with your national data protection authority (CNIL in France, ICO in the UK, etc.).

The Limits of GDPR

GDPR is powerful on paper but has real limitations in practice. Companies can refuse deletion if they have a legal obligation to retain the data (tax records, for instance) or if the data is necessary for a contract. Some companies make the process intentionally difficult, burying the process in layers of bureaucracy. Cross-border enforcement is slow and inconsistent.

Most importantly, once your email has been leaked in a data breach, GDPR cannot un-leak it. You can demand a company delete your data, but you cannot demand that hackers delete the copy they already have. This is why prevention — minimizing the number of companies that have your real email — is always better than cure.

A Practical Privacy Strategy

The smartest approach combines GDPR rights with preventive measures. Use temporary email addresses from TempoMail for services you do not fully trust. Reserve your real email for essential services. Periodically audit your accounts and exercise your right to erasure on services you no longer use. This combination of legal rights and practical tools gives you the strongest possible control over your email privacy.

← Back to all guides