Who has my data? Mapping and shrinking your data trail

You can’t send rights-requests into the void — first find the holders. Inboxes, password managers and a handful of registers reveal most of your data trail in an afternoon.

Nobody keeps a central list of who holds your data — but you can reconstruct it. Your inbox is the index: search for “unsubscribe”, “your account”, “welcome” — every hit is a controller. Your password manager (or browser’s saved logins) is the second index. Payment statements reveal the subscriptions you forgot. The big shadow-holders: credit-reference and fraud-prevention agencies (national credit registers), address brokers and “people search” sites, loyalty programmes, ad-tech intermediaries (check a big platform’s “off-platform activity” page to see which shops report your purchases), and data brokers who enrich marketing lists. Each is a controller; each owes you Art. 15 access and honours Art. 17/21. The efficient sweep: pick the ten most sensitive holders — bank, insurer, telecom, credit register, top platforms — and file access requests; for the long tail of shops, skip access and go straight to erasure. Platforms’ takeout tools give you the bulk of content data without a letter. Connected devices too: cars, TVs, wearables and doorbells report home — the Data Act (applying since September 2025) obliges makers to hand over device data on request. When a holder stonewalls, the escalation in Request ignored applies; when you don’t know who is behind a site, its privacy policy must name the controller (Art. 13) — no policy, instant complaint to your DPA.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Who to contact📞 Your data protection authority