Since it's tedious as fuck to find copy-pasteable email templates to throw at people sending batches of unsolicited marketing garbage, because all the results in web search engines are all about creatively interpreting the GDPR to actually send spam, here is mine:
Hello,
Since I'm an European Union citizen, all my personal data, including my email address, are protected by the Data protection Regulation (GDPR), even if your company is based outside of the EU. See https://www.privacy-regulation.eu/en/ for details.
As a data controller you are thus subjected to various obligations, notably transparency.
As per Article 15 ( https://www.privacy-regulation.eu/en/15.htm ), please do provide me with: 1. all the personal data you have about me; 2. the purpose of the processing; 3. why and how you collect/got access to them; 4. if you share my data with other entities.
As per Article 7, ( https://www.privacy-regulation.eu/en/7.htm ), if this processing is based on my consent, please do send me the information demonstrating that I have indeed consented to it.
As per Article 17, ( https://www.privacy-regulation.eu/en/17.htm ), I also want all my personal data to be destroyed from your databases or other storage. But only after you provide me with the information requested above.
As per Article 19, ( https://www.privacy-regulation.eu/en/19.htm ), do ask any company to whom you might have transferred my data to do so as well, and provide me with proof of said destructions.
As per Article 12 (3) ( https://www.privacy-regulation.eu/en/12.htm ), you have one month to fulfill this request. After said period, be assured that I will refer the case to the competent supervisory authority ( https://edpb.europa.eu/about-edpb/board/members_en ), that has power to hand out significant fines ( https://www.privacy-regulation.eu/en/83.htm ).
Have a nice day,
If you're French, the CNIL has a nice list of templates
A trick that companies like to pull is to ask for a copy of a governmental id for any GDPR-related request, so here is the proper reply:
Hello,
Please be advised that requesting copies of government issued ID is explicitly against the Guidelines 01/2022 on data subject rights - Right of access Version 2.1, adopted on 28 March 2023 (https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202201_data_subject_rights_access_v2_en.pdf). specifically section 3.3.73 to 3.3.75:
In practice, authentication procedures often exist and controllers do not need to introduce additional safeguards to prevent unauthorised access to services. In order to enable individuals to access the data contained in their accounts (such as an e-mail account, an account on social networks or online shops), controllers are most likely to request the logging through the login and password of the user, which in such cases should be sufficient to authenticate a data subject36. Furthermore, the data subjects are often already authenticated by the controller before entering into a contract or collecting their consent to the processing and, as a result, the personal data used to register the individual concerned by the processing can also be used as evidence to authenticate the data subject for access purposes37. Consequently, it is disproportionate to require a copy of an identity document in the event where the data subject making a request is already authenticated by the controller.
It should be emphasised that using a copy of an identity document as a part of the authentication process creates a risk for the security of personal data and may lead to unauthorised or unlawful processing, and, as such, it should be considered inappropriate, unless it is necessary, suitable, and in line with national law. In such cases, the controllers should have systems in place that ensure a level of security appropriate to mitigate the higher risks for the rights and freedoms of the data subject to receive such data. It is also important to note that authentication by means of an identity card does not necessarily help in the online context (e.g. with the use of pseudonyms) if the person concerned cannot contribute any other evidence, e.g. further characteristics matching to the user account
Taking into account the fact, that many organisations (e.g. hotels, banks, car rentals) request copies of their clients’ ID card, it should generally not be considered an appropriate way of authentication. Alternatively, the controller may implement a quick and effective security measure to identify a data subject based on the authentication it has previously carried out, e.g. via e-mail or text message containing confirmation links, security questions or confirmation codes38.
Henceforth, I won't be providing you with the government issued ID you requested.
Please do update me on the status of my previous request, keeping in mind that you have N days left to fulfil it.
Have a nice day,