← All breach guides

Meta Data Breach — Exercise Your GDPR Rights

Meta has been involved in multiple major data incidents affecting hundreds of millions of EU residents. Under GDPR, you have the right to find out exactly what data they hold — and to request its deletion.

⚖️ Regulatory action: Meta was fined €1.2 billion by the Irish DPC in 2023 — the largest GDPR fine ever issued.

What happened

2021 533 million users affected

Personal data scraped from Facebook profiles was published online, including phone numbers, email addresses, full names, locations, and dates of birth.

Data exposed:
  • Phone numbers
  • Email addresses
  • Full names
  • Locations
  • Dates of birth
  • Facebook profile IDs
2019 87 million users affected

Cambridge Analytica harvested profile data of up to 87 million Facebook users without their consent for political profiling.

Data exposed:
  • Profile data
  • Likes and interests
  • Friend networks
  • Political preferences

What you can do

A GDPR subject access request forces Meta to show you every piece of data they hold: messages, ad profiles, inferred interests, location history, and more. After a breach, you also have strengthened grounds to request full erasure.

You have two key rights under GDPR:

Generate your access request

This letter is pre-addressed to Meta Platforms Ireland Limited, the official EU data controller for Meta (Facebook / Instagram).

To: Meta Platforms Ireland Limited
4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: