Being silenced in the EU?

FORMAL NOTICE

Subject Access Request & Right to Data Portability Pursuant to Articles 15 and 20 of Regulation (EU) 2016/679 (General Data Protection Regulation)  

Date: 27 February 2026

To: Substack Inc. Data Protection Officer / Privacy Team privacy@substackinc.com

From: Your own name Physical address

Email registered with Substack: email address (ps if you’re using a mask, give both)

Substack publication: your Substack name  

Dear Sir or Madam,

I am writing to exercise my rights as a data subject under the General Data Protection Regulation (EU) 2016/679 (“GDPR”). I am an EU resident based in Milan, Italy, and the GDPR applies in full to your processing of my personal data.

My account has been suspended by Substack. Despite this suspension, my rights under the GDPR remain fully in effect. Account suspension does not extinguish, diminish, or in any way affect my data protection rights. I therefore make the following requests.

1- Subject Access Request (Article 15 GDPR) Pursuant to Article 15, I request a complete copy of all personal data you hold concerning me. This includes, but is not limited to:

(a) All articles, posts, drafts, and editorial content I have created on the platform;

(b) My complete subscriber and mailing list, including all email addresses of individuals who subscribed to my publication;

(c) All comments, notes, and interactions I have made on the platform; (d) All account data, profile information, and settings;

(e) All analytics and engagement data associated with my publication;

(f) Any internal records, flags, reports, or moderation notes relating to my account, including the specific content or conduct that allegedly triggered my account suspension;

(g) Any correspondence or communications relating to my account.

2- Right to Data Portability (Article 20 GDPR) Pursuant to Article 20, I request that the personal data I have provided to you be delivered to me in a structured, commonly used, and machine-readable format. Specifically:

(a) My subscriber/mailing list in CSV or equivalent machine-readable format;

(b) All my published and draft content in a portable format (e.g., HTML, Markdown, or JSON);

(c) All associated metadata, including publication dates, subscriber counts, and engagement data. Article 20(1) is clear: this right applies to data provided by the data subject and processed on the basis of consent or contract. My content and subscriber list fall squarely within this scope.

3- Request for Transparency Regarding Suspension: Pursuant to Article 15(1)(h), where my personal data has been subject to automated decision-making, I request meaningful information about the logic involved, the significance, and the envisaged consequences of such processing. If my account suspension was triggered in whole or in part by automated content moderation systems, I am entitled to this information. I request that you identify the specific content that allegedly violated your policies and the specific policy provision that was allegedly breached.

4- Compliance Timeline: Under Article 12(3) GDPR, you are required to respond to this request without undue delay and in any event within one month of receipt. I note that this deadline runs from the date of receipt of this request, not from any future resolution of my account appeal. Consequences of Non-Compliance: Should you fail to comply with this request within the statutory timeframe, I will:

(a) Lodge a formal complaint with the Garante per la protezione dei dati personali (the Italian Data Protection Authority), as is my right under Article 77 GDPR;

(b) Reserve the right to seek an effective judicial remedy under Article 79 GDPR; and

(c) Note that infringements of Articles 15 and 20 are subject to administrative fines of up to €20,000,000 or 4% of total worldwide annual turnover, whichever is higher, pursuant to Article 83(5)(b) GDPR.

5- Identity Verification

I am sending this request from the email address associated with my Substack account, which should be sufficient to verify my identity. Should you require additional verification, please advise promptly so that compliance is not delayed.   I trust you will treat this request with the urgency and seriousness that the law requires.

Yours faithfully,  

Your name

27 February 2026  

Apologies: the automated numbering is nuts.

Note: This letter should be sent to privacy@substackinc.com. Retain a copy with proof of delivery (read receipt or equivalent). The 30-day compliance clock starts on the date they receive this request.